Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558837
MD5:33ae691f52ac46353b3f7cdf1d8916fd
SHA1:004b8b32d043a62ce416abba571f9847b580b152
SHA256:f307bfc3d6f4e710338171629d9f690706887190750f0fd3845f8e56c49a2abe
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 33AE691F52AC46353B3F7CDF1D8916FD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B29F2 CryptVerifySignatureA,0_2_003B29F2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2112670118.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003543500_2_00354350
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003510000_2_00351000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003543570_2_00354357
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003537420_2_00353742
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00448A040_2_00448A04
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B630_2_00354B63
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B850_2_00354B85
Source: C:\Users\user\Desktop\file.exeCode function: String function: 003AD9E7 appears 35 times
Source: file.exe, 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 36%
Source: file.exeString found in binary or memory: '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: XRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeVU
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2763264 > 1048576
Source: file.exeStatic PE information: Raw size of xtrzpeby is bigger than: 0x100000 < 0x29ca00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2112670118.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.1d0000.0.unpack :EW;.rsrc:W;.idata :W;xtrzpeby:EW;yovmqlsh:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a2be4 should be: 0x2ae69b
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: xtrzpeby
Source: file.exeStatic PE information: section name: yovmqlsh
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003611B7 push 253FEEF2h; mov dword ptr [esp], ecx0_2_0036259B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003611B7 push ebp; mov dword ptr [esp], esi0_2_003625A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003611B7 push ebp; mov dword ptr [esp], edi0_2_003625AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003611B7 push eax; mov dword ptr [esp], ebp0_2_00362A81
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003611B7 push esi; mov dword ptr [esp], 7FB68217h0_2_00363E3E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354219 push ebx; mov dword ptr [esp], ebp0_2_00354244
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354219 push 4723430Ch; mov dword ptr [esp], edx0_2_00354275
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354219 push edx; mov dword ptr [esp], 067B8A3Bh0_2_003542AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354350 push ecx; mov dword ptr [esp], edx0_2_003543A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354350 push ebp; mov dword ptr [esp], 75FD8B31h0_2_003543CA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354350 push edi; mov dword ptr [esp], 7FFEB971h0_2_0035440D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354350 push 7B42F830h; mov dword ptr [esp], edi0_2_0035445C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354350 push esi; mov dword ptr [esp], ecx0_2_0035447D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DE84D push eax; mov dword ptr [esp], ecx0_2_001DFB57
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DE84D push eax; mov dword ptr [esp], edx0_2_001DFB5B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DE8EC push 58B864AAh; mov dword ptr [esp], eax0_2_001DE902
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361CA5 push eax; mov dword ptr [esp], 306A78F4h0_2_00362B55
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361CA5 push 27D28F99h; mov dword ptr [esp], esi0_2_00362B64
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362030 push 5A064DDDh; mov dword ptr [esp], edx0_2_0036204D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB033 push eax; mov dword ptr [esp], ecx0_2_003DB068
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361026 push ecx; mov dword ptr [esp], eax0_2_00364055
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00355011 push edx; mov dword ptr [esp], ebp0_2_003550AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00355011 push edx; mov dword ptr [esp], ebp0_2_00355155
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362013 push 6B77EC8Ah; mov dword ptr [esp], ebp0_2_0036550C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036101C push eax; mov dword ptr [esp], esi0_2_003617D1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036101C push 787FBA37h; mov dword ptr [esp], esi0_2_00361BDE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00367005 push 6C30D870h; mov dword ptr [esp], eax0_2_00367014
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DD028 push edx; mov dword ptr [esp], ecx0_2_001DD297
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351000 push ecx; mov dword ptr [esp], eax0_2_00351007
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351000 push 3CD42941h; mov dword ptr [esp], edi0_2_00351041
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351000 push ebx; mov dword ptr [esp], eax0_2_00351105
Source: file.exeStatic PE information: section name: entropy: 7.769970936413303

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DDF0B second address: 1DDF15 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3AC4E9EFACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DDEFE second address: 1DDF0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3578FF second address: 357903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357C56 second address: 357C68 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3AC4B612C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F3AC4B612C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357C68 second address: 357CBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d add edx, dword ptr [ebp+122D2B61h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F3AC4E9EFA8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f push edi 0x00000030 mov edx, dword ptr [ebp+122D3CD5h] 0x00000036 pop edi 0x00000037 call 00007F3AC4E9EFA9h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357CBD second address: 357CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357CC1 second address: 357CCB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357CCB second address: 357CE6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3AC4B612CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357CE6 second address: 357CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357CEB second address: 357D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F3AC4B612C6h 0x00000009 jmp 00007F3AC4B612CBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357D0A second address: 357D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357DC2 second address: 357E12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3AC4B612CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 2AAD4122h 0x00000011 push esi 0x00000012 pushad 0x00000013 call 00007F3AC4B612CEh 0x00000018 pop esi 0x00000019 mov ah, bl 0x0000001b popad 0x0000001c pop edx 0x0000001d lea ebx, dword ptr [ebp+1244D7F3h] 0x00000023 jmp 00007F3AC4B612D7h 0x00000028 cmc 0x00000029 xchg eax, ebx 0x0000002a push ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357E12 second address: 357E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357E16 second address: 357E24 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357E24 second address: 357E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 376F5B second address: 376F67 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3AC4B612CEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37720B second address: 377215 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3AC4E9EFACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377395 second address: 3773AB instructions: 0x00000000 rdtsc 0x00000002 je 00007F3AC4B612CEh 0x00000008 jo 00007F3AC4B612C6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3773AB second address: 3773B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377527 second address: 377533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377533 second address: 37755B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3AC4E9EFB4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3776AC second address: 3776BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3776BA second address: 3776BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3776BF second address: 3776DB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3AC4B612D7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3779A6 second address: 3779AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3779AB second address: 3779D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3AC4B612D6h 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnc 00007F3AC4B612C6h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F3AC4B612C8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BE4B second address: 36BE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BE53 second address: 36BE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F3AC4B612C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BE60 second address: 36BE64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BE64 second address: 36BE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3AC4B612C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push ecx 0x0000000e pushad 0x0000000f jmp 00007F3AC4B612D0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BE85 second address: 36BE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377B5A second address: 377B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377B5F second address: 377B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F3AC4E9EFA6h 0x0000000b js 00007F3AC4E9EFA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377B72 second address: 377B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007F3AC4B612D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377B82 second address: 377BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3AC4E9EFA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3AC4E9EFB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3785B7 second address: 3785C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3AC4B612C6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3785C6 second address: 3785CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3785CC second address: 3785D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3785D0 second address: 3785E0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3AC4E9EFAEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3785E0 second address: 3785EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007F3AC4B612C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37891E second address: 378922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37AD7F second address: 37AD83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 380708 second address: 38070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3808C0 second address: 3808CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3808CC second address: 3808D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3808D7 second address: 3808ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jbe 00007F3AC4B612C8h 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3808ED second address: 380918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F3AC4E9EFB1h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F3AC4E9EFB2h 0x00000017 jo 00007F3AC4E9EFACh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384CFC second address: 384D1E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3AC4B612C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F3AC4B612D3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384D1E second address: 384D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d jl 00007F3AC4E9EFACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34924E second address: 349268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3841D6 second address: 384201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F3AC4E9EFA8h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384352 second address: 384364 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jno 00007F3AC4B612C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384364 second address: 38436A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38436A second address: 384378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F3AC4B612CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3844D5 second address: 3844E1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3AC4E9EFAEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3844E1 second address: 3844E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384B83 second address: 384BC7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3AC4E9EFBDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F3AC4E9EFB5h 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F3AC4E9EFADh 0x00000018 jmp 00007F3AC4E9EFAAh 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386587 second address: 3865A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4B612D5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3865A2 second address: 3865C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F3AC4E9EFB3h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3865C2 second address: 3865C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388B96 second address: 388B9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388C1A second address: 388C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3AC4B612C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388C25 second address: 388C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388C2C second address: 388C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 5D9BC233h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F3AC4B612C8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 4E0BCBCBh 0x0000002d push eax 0x0000002e push edx 0x0000002f jp 00007F3AC4B612D0h 0x00000035 jmp 00007F3AC4B612CAh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388EC8 second address: 388ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388FB4 second address: 388FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388FB8 second address: 388FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388FBC second address: 388FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388FC2 second address: 388FCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F3AC4E9EFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389331 second address: 38933B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3AC4B612C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38933B second address: 389345 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3AC4E9EFACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389956 second address: 389972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4B612D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389A32 second address: 389A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4E9EFB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389C60 second address: 389C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A391 second address: 38A410 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e popad 0x0000000f nop 0x00000010 xor edi, 5C70012Ch 0x00000016 jmp 00007F3AC4E9EFB4h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F3AC4E9EFA8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov si, 8574h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F3AC4E9EFA8h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 movsx edi, cx 0x0000005a xchg eax, ebx 0x0000005b push edx 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A410 second address: 38A41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A41F second address: 38A425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A425 second address: 38A429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38C897 second address: 38C90B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3AC4E9EFACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D25A7h], eax 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F3AC4E9EFA8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+1246B05Ch] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F3AC4E9EFA8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f jmp 00007F3AC4E9EFABh 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38C90B second address: 38C90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38D4B1 second address: 38D4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4E9EFB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38D4CD second address: 38D557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or esi, 4AE4BB4Bh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F3AC4B612C8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F3AC4B612C8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov esi, dword ptr [ebp+122D3AF1h] 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jnl 00007F3AC4B612DCh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DF24 second address: 38DF2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F3AC4E9EFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DF2F second address: 38DFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F3AC4B612C8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jmp 00007F3AC4B612D1h 0x00000029 mov di, ax 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f push ecx 0x00000030 mov si, B370h 0x00000034 pop edi 0x00000035 mov ecx, ebx 0x00000037 popad 0x00000038 push 00000000h 0x0000003a jmp 00007F3AC4B612CCh 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F3AC4B612CFh 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F3AC4B612CFh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F4EA second address: 38F541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3AC4E9EFA6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 mov esi, 725F7671h 0x00000018 push 00000000h 0x0000001a mov edi, eax 0x0000001c mov esi, dword ptr [ebp+122D3D91h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F3AC4E9EFA8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e and esi, dword ptr [ebp+122D3D9Dh] 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F3AC4E9EFAEh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F251 second address: 38F271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F271 second address: 38F277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F277 second address: 38F280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F280 second address: 38F284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39100E second address: 3910AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3AC4B612D2h 0x00000008 jmp 00007F3AC4B612CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jns 00007F3AC4B612CAh 0x00000016 nop 0x00000017 jmp 00007F3AC4B612CDh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F3AC4B612C8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov ebx, 3ACDE8C1h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007F3AC4B612C8h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 mov dword ptr [ebp+1247852Ah], eax 0x0000005f mov dword ptr [ebp+122D3AB6h], eax 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jng 00007F3AC4B612DCh 0x0000006e jmp 00007F3AC4B612D6h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391FEB second address: 391FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edi 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391FF6 second address: 392068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 jmp 00007F3AC4B612D3h 0x0000000c jg 00007F3AC4B612C8h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F3AC4B612C8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F3AC4B612C8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov bl, ch 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391203 second address: 391209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391209 second address: 39120E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39120E second address: 39126A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dword ptr [ebp+122D1CDDh], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 add dword ptr [ebp+122D1CDDh], ecx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 jmp 00007F3AC4E9EFAEh 0x0000002b mov eax, dword ptr [ebp+122D06ADh] 0x00000031 adc edi, 64DDEAF0h 0x00000037 push FFFFFFFFh 0x00000039 jnc 00007F3AC4E9EFACh 0x0000003f nop 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push edi 0x00000044 pop edi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393F7A second address: 393F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393F7E second address: 393F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393F82 second address: 393F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 395EEA second address: 395F80 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3AC4E9EFA8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F3AC4E9EFACh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F3AC4E9EFA8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D28FCh] 0x00000034 push 00000000h 0x00000036 add dword ptr [ebp+122D2B02h], edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F3AC4E9EFA8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 call 00007F3AC4E9EFB3h 0x0000005d mov edi, 6799C3E3h 0x00000062 pop ebx 0x00000063 sub dword ptr [ebp+122D2B40h], esi 0x00000069 xchg eax, esi 0x0000006a push esi 0x0000006b push eax 0x0000006c push edx 0x0000006d jnc 00007F3AC4E9EFA6h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3940D5 second address: 394161 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F3AC4B612C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F3AC4B612CEh 0x00000012 nop 0x00000013 sbb edi, 0B586B15h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 call 00007F3AC4B612D2h 0x00000025 and edi, 0F4C2C2Ch 0x0000002b pop ebx 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 stc 0x00000034 mov dword ptr [ebp+122D2060h], ebx 0x0000003a mov eax, dword ptr [ebp+122D1569h] 0x00000040 pushad 0x00000041 push ecx 0x00000042 jmp 00007F3AC4B612CAh 0x00000047 pop edx 0x00000048 push edx 0x00000049 or dword ptr [ebp+122D2C19h], edi 0x0000004f pop eax 0x00000050 popad 0x00000051 push FFFFFFFFh 0x00000053 movzx edi, dx 0x00000056 jmp 00007F3AC4B612D0h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e ja 00007F3AC4B612C8h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3951AA second address: 3951AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3951AF second address: 3951B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3AC4B612CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3970EC second address: 3970F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3970F1 second address: 3970F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3960DA second address: 3960E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39B5EF second address: 39B5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39B5F3 second address: 39B5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3AC4E9EFA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 399944 second address: 39994E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39994E second address: 3999CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F3AC4E9EFA8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D318Ah], edx 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov ebx, dword ptr [ebp+122D3E09h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007F3AC4E9EFA8h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 pushad 0x00000058 jnp 00007F3AC4E9EFACh 0x0000005e popad 0x0000005f mov eax, dword ptr [ebp+122D05C5h] 0x00000065 push FFFFFFFFh 0x00000067 sub dword ptr [ebp+122D27FFh], ecx 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3999CE second address: 3999D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3999D2 second address: 3999D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39B5FF second address: 39B604 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3999D6 second address: 3999DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39CAB7 second address: 39CB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F3AC4B612D4h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F3AC4B612C8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1D2Ch], edx 0x00000030 push 00000000h 0x00000032 mov ebx, 3E8AA61Fh 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F3AC4B612C8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jno 00007F3AC4B612C6h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39FDA1 second address: 39FDA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39FDA7 second address: 39FDCC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3AC4B612D5h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F3AC4B612CEh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0DE6 second address: 3A0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jmp 00007F3AC4E9EFB2h 0x00000010 pop eax 0x00000011 nop 0x00000012 push eax 0x00000013 or dword ptr [ebp+1246BBB3h], esi 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 call 00007F3AC4E9EFB8h 0x00000026 pop edi 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e mov bx, 8C29h 0x00000032 mov eax, dword ptr [ebp+122D06A5h] 0x00000038 add bl, 00000058h 0x0000003b push FFFFFFFFh 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F3AC4E9EFA8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 mov dword ptr [ebp+1246056Ah], edi 0x0000005d mov di, 1200h 0x00000061 nop 0x00000062 push ecx 0x00000063 push esi 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0E85 second address: 3A0E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3AC4B612D0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AB83B second address: 3AB84B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3AC4E9EFA6h 0x00000008 jnc 00007F3AC4E9EFA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AB84B second address: 3AB850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AB850 second address: 3AB863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4E9EFADh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AAFA8 second address: 3AAFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AAFAE second address: 3AAFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4E9EFAEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AAFC1 second address: 3AAFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AAFD0 second address: 3AAFD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AAFD4 second address: 3AB00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jne 00007F3AC4B612C6h 0x00000011 popad 0x00000012 jmp 00007F3AC4B612CCh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3AC4B612D9h 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C12CA second address: 3C12DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4E9EFADh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C12DD second address: 3C12E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C084D second address: 3C0862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 ja 00007F3AC4E9EFB2h 0x0000000d jnl 00007F3AC4E9EFA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0D9A second address: 3C0DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007F3AC4B612D3h 0x0000000d jmp 00007F3AC4B612CAh 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0DC4 second address: 3C0DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4E9EFB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0EF6 second address: 3C0F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4B612D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0F0E second address: 3C0F1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnl 00007F3AC4E9EFA6h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0F1E second address: 3C0F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4B612D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0F34 second address: 3C0F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3AC4E9EFACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0F42 second address: 3C0F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F3AC4B612CEh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0F53 second address: 3C0F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3AC4E9EFACh 0x0000000a pushad 0x0000000b jmp 00007F3AC4E9EFACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10CB second address: 3C10DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4B612D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10DF second address: 3C10E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10E3 second address: 3C10FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3AC4B612D1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10FC second address: 3C1109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F3AC4E9EFA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C1109 second address: 3C1129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F3AC4B612D2h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C45B2 second address: 3C45D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F3AC4E9EFACh 0x0000000e jmp 00007F3AC4E9EFACh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C45D4 second address: 3C460B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F3AC4B612C6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3AC4B612CDh 0x00000015 pushad 0x00000016 jmp 00007F3AC4B612D7h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C460B second address: 3C4610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CB4 second address: 3C5CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CBA second address: 3C5CC7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CC7 second address: 3C5CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3AC4B612C6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CD2 second address: 3C5CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CD8 second address: 3C5CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CC2C0 second address: 3CC2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CAD6F second address: 3CAD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CAD75 second address: 3CAD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CAD7B second address: 3CAD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CAD85 second address: 3CAD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB00D second address: 3CB011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB011 second address: 3CB02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jnp 00007F3AC4E9EFA6h 0x0000000f jbe 00007F3AC4E9EFA6h 0x00000015 pop ecx 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB187 second address: 3CB191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3AC4B612C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB191 second address: 3CB1B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F3AC4E9EFB0h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnl 00007F3AC4E9EFA6h 0x00000016 popad 0x00000017 push esi 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB2C9 second address: 3CB2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB2D2 second address: 3CB2D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBA4B second address: 3CBA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBA51 second address: 3CBA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBA55 second address: 3CBA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F3AC4B612D7h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F3AC4B612D0h 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBD54 second address: 3CBD6C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3AC4E9EFA6h 0x00000008 jmp 00007F3AC4E9EFAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBD6C second address: 3CBD77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F3AC4B612C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36CA0F second address: 36CA30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFB7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36CA30 second address: 36CA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0BB4 second address: 3D0BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0BB8 second address: 3D0BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c je 00007F3AC4B612C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0BCC second address: 3D0BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0D66 second address: 3D0D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F3AC4B612C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1214 second address: 3D1218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1218 second address: 3D1222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3AC4B612C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1222 second address: 3D123B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D18E6 second address: 3D18F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jp 00007F3AC4B612C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1BF0 second address: 3D1BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1BF6 second address: 3D1BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1BFA second address: 3D1C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1C00 second address: 3D1C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jng 00007F3AC4B612C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 387686 second address: 38768C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 387BB4 second address: 387BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F3AC4B612D3h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007F3AC4B612CDh 0x00000016 pop eax 0x00000017 and edx, 7EA4CED9h 0x0000001d push B6A37DAFh 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 387BF1 second address: 387BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 387BF5 second address: 387C10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 387C10 second address: 387C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388751 second address: 388769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388769 second address: 388770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388770 second address: 388801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F3AC4B612C8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push ebx 0x00000023 or ecx, dword ptr [ebp+122D3DA9h] 0x00000029 pop edi 0x0000002a lea eax, dword ptr [ebp+1247D2F8h] 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F3AC4B612C8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov di, 5854h 0x0000004e nop 0x0000004f jmp 00007F3AC4B612D8h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F3AC4B612D7h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388801 second address: 388840 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3AC4E9EFA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+122D3B55h] 0x00000011 js 00007F3AC4E9EFB3h 0x00000017 jmp 00007F3AC4E9EFADh 0x0000001c lea eax, dword ptr [ebp+1247D2B4h] 0x00000022 mov edx, eax 0x00000024 nop 0x00000025 pushad 0x00000026 je 00007F3AC4E9EFACh 0x0000002c jno 00007F3AC4E9EFA6h 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388840 second address: 36CA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4B612D0h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F3AC4B612D9h 0x00000012 pop eax 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F3AC4B612C8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e xor dword ptr [ebp+122D26E5h], edx 0x00000034 movsx edx, bx 0x00000037 call dword ptr [ebp+122D31B9h] 0x0000003d jmp 00007F3AC4B612D7h 0x00000042 pushad 0x00000043 push esi 0x00000044 pushad 0x00000045 popad 0x00000046 pop esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jc 00007F3AC4B612C6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D6591 second address: 3D65A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D6BB1 second address: 3D6BD5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3AC4B612D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D6BD5 second address: 3D6BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F3AC4E9EFA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D6BE6 second address: 3D6BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA1C7 second address: 3DA1D1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD328 second address: 3DD33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4B612CEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF6A9 second address: 3DF6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF6AF second address: 3DF6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF6B3 second address: 3DF6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF6B9 second address: 3DF6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF2B2 second address: 3DF2C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F3AC4E9EFA6h 0x00000009 pop ebx 0x0000000a push edx 0x0000000b jo 00007F3AC4E9EFA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E87E6 second address: 3E87EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8934 second address: 3E893A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E893A second address: 3E8941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8941 second address: 3E895A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3AC4E9EFB2h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C2E second address: 3E8C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C37 second address: 3E8C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C3B second address: 3E8C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D6h 0x00000007 jmp 00007F3AC4B612CFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C64 second address: 3E8C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3AC4E9EFB9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C90 second address: 3E8C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8C9A second address: 3E8CAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3AC4E9EFABh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38819D second address: 3881B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3881B4 second address: 3881B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38824D second address: 388253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388253 second address: 38829B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov cx, E170h 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F3AC4E9EFA8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D3DADh] 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push edi 0x00000038 pop edi 0x00000039 jnp 00007F3AC4E9EFA6h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8E2F second address: 3E8E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8E48 second address: 3E8E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3AC4E9EFA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EDB53 second address: 3EDB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EDB5A second address: 3EDB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4E9EFB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EDB72 second address: 3EDB8C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3AC4B612D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ECFB9 second address: 3ECFBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ECFBD second address: 3ECFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3AC4B612D7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ECFDA second address: 3ECFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED13A second address: 3ED154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3AC4B612CCh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3AC4B612C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED278 second address: 3ED27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED27D second address: 3ED29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D8h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED3EB second address: 3ED3EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED3EF second address: 3ED3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED3F5 second address: 3ED3FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED3FB second address: 3ED3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED3FF second address: 3ED405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED405 second address: 3ED415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F3AC4B612C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED415 second address: 3ED452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFAEh 0x00000007 jmp 00007F3AC4E9EFB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 js 00007F3AC4E9EFC7h 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F3AC4E9EFA6h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED5F7 second address: 3ED5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED5FD second address: 3ED607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3AC4E9EFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ED607 second address: 3ED61F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3AC4B612C6h 0x00000008 ja 00007F3AC4B612C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F3AC4B612D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F73EF second address: 3F73F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F73F3 second address: 3F73F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F73F9 second address: 3F740D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jp 00007F3AC4E9EFA6h 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F740D second address: 3F7411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7411 second address: 3F7431 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007F3AC4E9EFA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3AC4E9EFAFh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7431 second address: 3F743B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A8F second address: 3F5A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F658E second address: 3F65AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F3AC4B612C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6890 second address: 3F6894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6894 second address: 3F689E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F689E second address: 3F68A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6E58 second address: 3F6E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6E5C second address: 3F6E7F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F3AC4E9EFA6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3AC4E9EFB7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBE5A second address: 3FBE63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4013EB second address: 4013F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4013F1 second address: 4013F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34439A second address: 3443AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4E9EFABh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3443AB second address: 3443B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3443B1 second address: 3443C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jo 00007F3AC4E9EFBEh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3443C4 second address: 3443CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400A89 second address: 400AA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3AC4E9EFB1h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400AA7 second address: 400AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400C2A second address: 400C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3AC4E9EFAAh 0x00000008 jc 00007F3AC4E9EFA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400D97 second address: 400D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400F38 second address: 400F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400F3C second address: 400F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400F42 second address: 400F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400F4B second address: 400F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407686 second address: 4076B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4E9EFB9h 0x00000009 jmp 00007F3AC4E9EFB4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407955 second address: 40796F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407E7C second address: 407E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3AC4E9EFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407E86 second address: 407E96 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jne 00007F3AC4B612C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407E96 second address: 407E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407E9A second address: 407EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 408DE7 second address: 408DF5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3AC4E9EFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 408DF5 second address: 408DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 408DFD second address: 408E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 408E05 second address: 408E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3AC4B612C6h 0x0000000a jnc 00007F3AC4B612C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41AAD1 second address: 41AAE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jno 00007F3AC4E9EFA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EEDC second address: 41EEFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3AC4B612D3h 0x00000008 jmp 00007F3AC4B612CBh 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EEFA second address: 41EF04 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3AC4E9EFA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EF04 second address: 41EF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EBEB second address: 41EBEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EBEF second address: 41EC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F3AC4B612C6h 0x0000000d jnp 00007F3AC4B612C6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 421485 second address: 421489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 421489 second address: 4214AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612CEh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F3AC4B612C6h 0x00000016 ja 00007F3AC4B612C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4214AE second address: 4214C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4214C4 second address: 4214DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3AC4B612C8h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b ja 00007F3AC4B612C6h 0x00000011 js 00007F3AC4B612C6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42166C second address: 421671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 428026 second address: 42802B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426CA8 second address: 426CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426CAC second address: 426CB8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F3AC4B612C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426CB8 second address: 426CDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jne 00007F3AC4E9EFA6h 0x0000000d popad 0x0000000e push edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jnc 00007F3AC4E9EFA6h 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b jg 00007F3AC4E9EFB2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43290F second address: 432915 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 432915 second address: 43291B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43291B second address: 432965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 jmp 00007F3AC4B612D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F3AC4B612D7h 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 432784 second address: 43278C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43278C second address: 4327AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F3AC4B612CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438FE7 second address: 439014 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F3AC4E9EFBBh 0x0000000f jmp 00007F3AC4E9EFB5h 0x00000014 pushad 0x00000015 ja 00007F3AC4E9EFA6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 439014 second address: 43901A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43901A second address: 439023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 439023 second address: 439027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4378C7 second address: 4378E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3AC4E9EFB8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4378E4 second address: 4378EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4378EB second address: 4378F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jnl 00007F3AC4E9EFA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437A2B second address: 437A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 jl 00007F3AC4B612C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437A3B second address: 437A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F3AC4E9EFB5h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3AC4E9EFADh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D155 second address: 43D15F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D15F second address: 43D16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D2B2 second address: 43D2D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3AC4B612CAh 0x00000008 jl 00007F3AC4B612DEh 0x0000000e jmp 00007F3AC4B612D2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449CA7 second address: 449CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449CAB second address: 449CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E285 second address: 45E290 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F3AC4E9EFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E290 second address: 45E2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F3AC4B612D9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E2B6 second address: 45E2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E2BA second address: 45E2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F3AC4B612D7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E709 second address: 45E70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463744 second address: 46375D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3AC4B612D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46375D second address: 463774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4E9EFAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463147 second address: 46314B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46314B second address: 463153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463153 second address: 463189 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3AC4B612C8h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F3AC4B612CEh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jnp 00007F3AC4B612D2h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46880F second address: 468813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468813 second address: 46882D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46BE18 second address: 46BE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46D96F second address: 46D994 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3AC4B612D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F3AC4B612CEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46344B second address: 463451 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463451 second address: 463470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3AC4B612D5h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463470 second address: 463474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463474 second address: 463488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F3AC4B612C6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 463488 second address: 4634A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3AC4E9EFAEh 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464664 second address: 46469B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3AC4B612C6h 0x0000000a popad 0x0000000b jmp 00007F3AC4B612CBh 0x00000010 jnp 00007F3AC4B612C8h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3AC4B612D1h 0x0000001f jg 00007F3AC4B612C6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38BBC3 second address: 38BBC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1DDF51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1DB4FE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1DDEA1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3876EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 415C7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4BE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6D60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357B96 rdtsc 0_2_00357B96
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3652Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B7AD1 GetSystemInfo,VirtualAlloc,0_2_003B7AD1
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357B96 rdtsc 0_2_00357B96
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DB7DA LdrInitializeThunk,0_2_001DB7DA
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1B34 GetSystemTime,GetFileTime,0_2_003B1B34

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS261
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe37%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1558837
Start date and time:2024-11-19 21:02:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.439560507282752
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'763'264 bytes
MD5:33ae691f52ac46353b3f7cdf1d8916fd
SHA1:004b8b32d043a62ce416abba571f9847b580b152
SHA256:f307bfc3d6f4e710338171629d9f690706887190750f0fd3845f8e56c49a2abe
SHA512:96aee398ec59ede95408beb3e0a8737073a6d4c168a912eec5138b233aa28eb577e16fbef956ce67c561b0039b617d17e1822a3933c5eec5f06ceeefdde62314
SSDEEP:49152:LTQKdPvdNDzIe29CmU3UQZ71bWRD+SAqjXgJ9:PQKdXdNDzIe29CmeFpFSPjwJ9
TLSH:39D55A92B80572CFE8CF27B89427CD86AD6D07BA4B2448C7D86D64BA7D63CC115B7C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*......+*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6aa000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3AC4CD1B0Ah
invd
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F3AC4CD3B05h
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200c0304d49884df70af722bf3b87e37b95False0.9312065972222222data7.769970936413303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xtrzpeby0xa0000x29e0000x29ca00d634d396dc8b80c1d852936ae9dc850aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yovmqlsh0x2a80000x20000x4006fcaf067522544337485f8719b5044a6False0.7275390625data5.838013533410285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2aa0000x40000x2200e8508873d88147ea4597a12984b5d7d3False0.07456341911764706DOS executable (COM)0.9308905923901474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:15:02:58
Start date:19/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x1d0000
File size:2'763'264 bytes
MD5 hash:33AE691F52AC46353B3F7CDF1D8916FD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6%
    Dynamic/Decrypted Code Coverage:3.2%
    Signature Coverage:4.5%
    Total number of Nodes:378
    Total number of Limit Nodes:25
    execution_graph 9016 3611b7 9017 361b57 9016->9017 9018 363664 RegOpenKeyA 9017->9018 9019 36368b RegOpenKeyA 9017->9019 9018->9019 9020 363681 9018->9020 9021 3636a8 9019->9021 9020->9019 9022 3636ec GetNativeSystemInfo 9021->9022 9023 362590 9021->9023 9022->9023 9024 3af1fe 9027 3af046 9024->9027 9030 3af0ad 9027->9030 9029 3af05b 9032 3af0ba 9030->9032 9033 3af0d0 9032->9033 9034 3af0f5 9033->9034 9044 3af0d8 9033->9044 9055 3b8d44 9033->9055 9049 3ad9e7 GetCurrentThreadId 9034->9049 9036 3af1b8 9041 3af1c2 LoadLibraryExW 9036->9041 9042 3af1d6 LoadLibraryExA 9036->9042 9037 3af1a5 9077 3aeee5 9037->9077 9048 3af17c 9041->9048 9042->9048 9044->9036 9044->9037 9046 3af139 9057 3aea25 9046->9057 9050 3ad9ff 9049->9050 9051 3ae0f9 9050->9051 9052 3ae10a 9051->9052 9053 3ae147 9051->9053 9052->9053 9081 3adf9a 9052->9081 9053->9044 9053->9046 9101 3b8d53 9055->9101 9058 3aea4b 9057->9058 9059 3aea41 9057->9059 9109 3ae278 9058->9109 9059->9048 9066 3aea9b 9067 3aeac8 9066->9067 9075 3aeb45 9066->9075 9119 3ae456 9066->9119 9123 3ae6f1 9067->9123 9070 3aead3 9070->9075 9128 3ae668 9070->9128 9072 3aeb00 9073 3aeb28 9072->9073 9072->9075 9132 3b8999 9072->9132 9073->9075 9136 3b8692 9073->9136 9075->9059 9141 3af237 9075->9141 9078 3aeef0 9077->9078 9079 3aef00 9078->9079 9080 3aef11 LoadLibraryExA 9078->9080 9079->9048 9080->9079 9082 3adfc7 9081->9082 9083 3ae010 9082->9083 9084 3adff5 PathAddExtensionA 9082->9084 9088 3ae0cd 9082->9088 9089 3ae032 9083->9089 9093 3adc3b 9083->9093 9084->9083 9086 3ae07b 9087 3ae0a4 9086->9087 9086->9088 9091 3adc3b lstrcmpiA 9086->9091 9087->9088 9092 3adc3b lstrcmpiA 9087->9092 9088->9052 9089->9086 9089->9088 9090 3adc3b lstrcmpiA 9089->9090 9090->9086 9091->9087 9092->9088 9094 3adc59 9093->9094 9095 3adc70 9094->9095 9097 3adbb8 9094->9097 9095->9089 9098 3adbe3 9097->9098 9099 3adc15 lstrcmpiA 9098->9099 9100 3adc2b 9098->9100 9099->9100 9100->9095 9102 3b8d63 9101->9102 9103 3ad9e7 GetCurrentThreadId 9102->9103 9108 3b8db5 9102->9108 9104 3b8dcb 9103->9104 9105 3ae0f9 2 API calls 9104->9105 9106 3b8ddd 9105->9106 9107 3ae0f9 2 API calls 9106->9107 9106->9108 9107->9108 9110 3ae2ed 9109->9110 9111 3ae294 9109->9111 9110->9059 9113 3ae31e VirtualAlloc 9110->9113 9111->9110 9112 3ae2c4 VirtualAlloc 9111->9112 9112->9110 9114 3ae363 9113->9114 9114->9075 9115 3ae39b 9114->9115 9118 3ae3c3 9115->9118 9116 3ae43a 9116->9066 9117 3ae3dc VirtualAlloc 9117->9116 9117->9118 9118->9116 9118->9117 9121 3ae476 9119->9121 9122 3ae471 9119->9122 9120 3ae4a9 lstrcmpiA 9120->9121 9120->9122 9121->9120 9121->9122 9122->9067 9125 3ae7fd 9123->9125 9126 3ae71e 9123->9126 9125->9070 9126->9125 9143 3ae203 9126->9143 9151 3af314 9126->9151 9129 3ae691 9128->9129 9130 3ae6a9 VirtualProtect 9129->9130 9131 3ae6d2 9129->9131 9130->9129 9130->9131 9131->9072 9133 3b8a66 9132->9133 9134 3b89b5 9132->9134 9133->9073 9134->9133 9176 3b84fd 9134->9176 9137 3b86a3 9136->9137 9140 3b8726 9136->9140 9139 3b84fd VirtualProtect 9137->9139 9137->9140 9180 3b833c 9137->9180 9139->9137 9140->9075 9189 3af243 9141->9189 9144 3af046 17 API calls 9143->9144 9145 3ae216 9144->9145 9146 3ae268 9145->9146 9147 3ae23f 9145->9147 9150 3ae25c 9145->9150 9148 3af237 2 API calls 9146->9148 9149 3af237 2 API calls 9147->9149 9147->9150 9148->9150 9149->9150 9150->9126 9153 3af31d 9151->9153 9154 3af32c 9153->9154 9156 3ad9e7 GetCurrentThreadId 9154->9156 9159 3af334 9154->9159 9155 3af361 GetProcAddress 9161 3af357 9155->9161 9157 3af33e 9156->9157 9158 3af34e 9157->9158 9157->9159 9162 3aed75 9158->9162 9159->9155 9163 3aee61 9162->9163 9164 3aed94 9162->9164 9163->9161 9164->9163 9165 3aedd1 lstrcmpiA 9164->9165 9166 3aedfb 9164->9166 9165->9164 9165->9166 9166->9163 9168 3aecbe 9166->9168 9169 3aeccf 9168->9169 9170 3aecff lstrcpyn 9169->9170 9171 3aed5a 9169->9171 9170->9171 9173 3aed1b 9170->9173 9171->9163 9172 3ae203 16 API calls 9174 3aed49 9172->9174 9173->9171 9173->9172 9174->9171 9175 3af314 16 API calls 9174->9175 9175->9171 9177 3b8511 9176->9177 9178 3b8529 9177->9178 9179 3b864c VirtualProtect 9177->9179 9178->9134 9179->9177 9183 3b8343 9180->9183 9182 3b838d 9182->9137 9183->9182 9184 3b84fd VirtualProtect 9183->9184 9185 3b824a 9183->9185 9184->9183 9188 3b825f 9185->9188 9186 3b831f 9186->9183 9187 3b82e9 GetModuleFileNameA 9187->9188 9188->9186 9188->9187 9190 3af252 9189->9190 9192 3ad9e7 GetCurrentThreadId 9190->9192 9194 3af25a 9190->9194 9191 3af2a8 FreeLibrary 9197 3af28f 9191->9197 9193 3af264 9192->9193 9193->9194 9195 3af274 9193->9195 9194->9191 9198 3aec25 9195->9198 9199 3aec88 9198->9199 9200 3aec48 9198->9200 9199->9197 9200->9199 9202 3ad7e1 9200->9202 9203 3ad7ea 9202->9203 9204 3ad802 9203->9204 9206 3ad7c8 9203->9206 9204->9199 9207 3af237 2 API calls 9206->9207 9208 3ad7d5 9207->9208 9208->9203 9209 1db7da 9210 1db7df 9209->9210 9211 1db94a LdrInitializeThunk 9210->9211 9212 3b2331 9214 3b233a 9212->9214 9215 3ad9e7 GetCurrentThreadId 9214->9215 9216 3b2346 9215->9216 9217 3b2396 ReadFile 9216->9217 9218 3b235f 9216->9218 9217->9218 9219 3b1fb7 9221 3b1fc3 9219->9221 9222 3ad9e7 GetCurrentThreadId 9221->9222 9223 3b1fcf 9222->9223 9225 3b1fef 9223->9225 9226 3b1f0e 9223->9226 9228 3b1f1a 9226->9228 9229 3b1f2e 9228->9229 9230 3ad9e7 GetCurrentThreadId 9229->9230 9231 3b1f46 9230->9231 9239 3ae14b 9231->9239 9234 3ae0f9 2 API calls 9235 3b1f69 9234->9235 9236 3b1f71 9235->9236 9237 3b1f9e GetFileAttributesA 9235->9237 9238 3b1f8d GetFileAttributesW 9235->9238 9237->9236 9238->9236 9240 3ae1ff 9239->9240 9241 3ae15f 9239->9241 9240->9234 9240->9236 9241->9240 9242 3adf9a 2 API calls 9241->9242 9242->9241 9243 4be10f0 9244 4be1131 9243->9244 9247 3b073b 9244->9247 9245 4be1151 9248 3ad9e7 GetCurrentThreadId 9247->9248 9249 3b0747 9248->9249 9250 3b0770 9249->9250 9251 3b0760 9249->9251 9254 3b0775 CloseHandle 9250->9254 9255 3af827 9251->9255 9253 3b0766 9253->9245 9254->9253 9258 3ad892 9255->9258 9259 3ad8a8 9258->9259 9260 3ad8c2 9259->9260 9262 3ad876 9259->9262 9260->9253 9265 3af800 CloseHandle 9262->9265 9264 3ad886 9264->9260 9266 3af814 9265->9266 9266->9264 9267 1de84d 9268 1df0a2 VirtualAlloc 9267->9268 9270 1df6d2 9268->9270 9271 3b8a6b 9273 3b8a77 9271->9273 9274 3b8a89 9273->9274 9275 3b8692 2 API calls 9274->9275 9276 3b8a9b 9275->9276 9277 3af6a9 9278 3ad9e7 GetCurrentThreadId 9277->9278 9279 3af6b5 9278->9279 9280 3ae0f9 2 API calls 9279->9280 9281 3af6d3 9279->9281 9280->9281 9282 3af704 GetModuleHandleExA 9281->9282 9283 3af6db 9281->9283 9282->9283 9284 361ca5 9285 362b47 LoadLibraryA 9284->9285 9286 3637c7 9285->9286 9287 3579e6 9288 3579ed 9287->9288 9290 3579fa 9287->9290 9288->9290 9291 357a03 9288->9291 9292 357a1a CreateFileA 9291->9292 9293 357a2a 9292->9293 9294 3b2c6e 9295 3ad9e7 GetCurrentThreadId 9294->9295 9296 3b2c7a 9295->9296 9297 3b2ce2 MapViewOfFileEx 9296->9297 9298 3b2c93 9296->9298 9297->9298 9299 3b1aa2 9300 3ad9e7 GetCurrentThreadId 9299->9300 9301 3b1aae GetCurrentProcess 9300->9301 9302 3b1afa 9301->9302 9304 3b1abe 9301->9304 9303 3b1aff DuplicateHandle 9302->9303 9307 3b1af5 9303->9307 9304->9302 9305 3b1ae9 9304->9305 9308 3af83f 9305->9308 9309 3af869 9308->9309 9310 3af8fc 9309->9310 9311 3af827 CloseHandle 9309->9311 9310->9307 9311->9310 9312 3b8b21 9314 3b8b2d 9312->9314 9315 3b8b3f 9314->9315 9320 3af05f 9315->9320 9317 3b8b4e 9318 3b8b67 9317->9318 9319 3b8692 GetModuleFileNameA VirtualProtect 9317->9319 9319->9318 9322 3af06b 9320->9322 9323 3af080 9322->9323 9324 3af0ad 17 API calls 9323->9324 9325 3af09e 9323->9325 9324->9325 9326 357bd4 9327 357bd9 CreateFileA 9326->9327 9329 357c16 9327->9329 9330 3b221e 9332 3b222a 9330->9332 9333 3ad9e7 GetCurrentThreadId 9332->9333 9334 3b2236 9333->9334 9336 3b2256 9334->9336 9337 3b212a 9334->9337 9339 3b2136 9337->9339 9340 3b214a 9339->9340 9341 3ad9e7 GetCurrentThreadId 9340->9341 9342 3b2162 9341->9342 9343 3b2177 9342->9343 9363 3b2043 9342->9363 9347 3b217f 9343->9347 9355 3b20e8 IsBadWritePtr 9343->9355 9350 3b21f3 CreateFileA 9347->9350 9351 3b21d0 CreateFileW 9347->9351 9348 3ae0f9 2 API calls 9349 3b21b2 9348->9349 9349->9347 9352 3b21ba 9349->9352 9354 3b21c0 9350->9354 9351->9354 9357 3af93d 9352->9357 9356 3b210a 9355->9356 9356->9347 9356->9348 9360 3af94a 9357->9360 9358 3afa45 9358->9354 9359 3af983 CreateFileA 9361 3af9cf 9359->9361 9360->9358 9360->9359 9361->9358 9362 3af800 CloseHandle 9361->9362 9362->9358 9365 3b2052 GetWindowsDirectoryA 9363->9365 9366 3b207c 9365->9366 9369 3b7ad1 GetSystemInfo 9370 3b7b2f VirtualAlloc 9369->9370 9371 3b7af1 9369->9371 9384 3b7e1d 9370->9384 9371->9370 9373 3b7b76 9374 3b7e1d VirtualAlloc GetModuleFileNameA VirtualProtect 9373->9374 9383 3b7c4b 9373->9383 9376 3b7ba0 9374->9376 9375 3b7c67 GetModuleFileNameA VirtualProtect 9377 3b7c0f 9375->9377 9378 3b7e1d VirtualAlloc GetModuleFileNameA VirtualProtect 9376->9378 9376->9383 9379 3b7bca 9378->9379 9380 3b7e1d VirtualAlloc GetModuleFileNameA VirtualProtect 9379->9380 9379->9383 9381 3b7bf4 9380->9381 9381->9377 9382 3b7e1d VirtualAlloc GetModuleFileNameA VirtualProtect 9381->9382 9381->9383 9382->9383 9383->9375 9383->9377 9386 3b7e25 9384->9386 9387 3b7e39 9386->9387 9388 3b7e51 9386->9388 9394 3b7ce9 9387->9394 9390 3b7ce9 2 API calls 9388->9390 9391 3b7e62 9390->9391 9396 3b7e74 9391->9396 9399 3b7cf1 9394->9399 9397 3b7e85 VirtualAlloc 9396->9397 9398 3b7e70 9396->9398 9397->9398 9400 3b7d04 9399->9400 9401 3b833c 2 API calls 9400->9401 9402 3b7d47 9400->9402 9401->9402 9403 3b2b10 9405 3b2b1c 9403->9405 9406 3b2b34 9405->9406 9408 3b2b5e 9406->9408 9409 3b2a4a 9406->9409 9411 3b2a56 9409->9411 9412 3ad9e7 GetCurrentThreadId 9411->9412 9413 3b2a69 9412->9413 9414 3b2ae2 9413->9414 9415 3b2aa7 9413->9415 9416 3b2a83 9413->9416 9417 3b2ae7 CreateFileMappingA 9414->9417 9415->9416 9419 3b0121 9415->9419 9417->9416 9421 3b0138 9419->9421 9420 3b0235 9420->9416 9421->9420 9422 3b01a1 CreateFileA 9421->9422 9423 3b01e6 9422->9423 9423->9420 9424 3af800 CloseHandle 9423->9424 9424->9420 9425 354219 LoadLibraryA 9426 354221 9425->9426 9427 3af556 9429 3af562 9427->9429 9430 3af576 9429->9430 9432 3af59e 9430->9432 9433 3af5b7 9430->9433 9435 3af5c0 9433->9435 9436 3af5cf 9435->9436 9437 3ad9e7 GetCurrentThreadId 9436->9437 9442 3af5d7 9436->9442 9440 3af5e1 9437->9440 9438 3af67a GetModuleHandleW 9444 3af60f 9438->9444 9439 3af688 GetModuleHandleA 9439->9444 9441 3af5fc 9440->9441 9443 3ae0f9 2 API calls 9440->9443 9441->9442 9441->9444 9442->9438 9442->9439 9443->9441 9445 4be1510 9446 4be1558 ControlService 9445->9446 9447 4be158f 9446->9447 9448 3b8ad5 9450 3b8ae1 9448->9450 9451 3b8af3 9450->9451 9452 3af046 17 API calls 9451->9452 9453 3b8b02 9452->9453 9454 3b8b1b 9453->9454 9455 3b8692 2 API calls 9453->9455 9455->9454 9456 1e0aaf 9457 1e0aef 9456->9457 9458 1e0abc 9456->9458 9458->9457 9460 3b7c72 9458->9460 9461 3b7c80 9460->9461 9462 3b7ca0 9461->9462 9464 3b7f42 9461->9464 9462->9457 9465 3b7f75 9464->9465 9466 3b7f52 9464->9466 9465->9461 9466->9465 9467 3b833c 2 API calls 9466->9467 9467->9465 9468 1de8ec VirtualAlloc 9469 1df0b9 9468->9469 9470 4be1308 9471 4be1349 ImpersonateLoggedOnUser 9470->9471 9472 4be1376 9471->9472 9473 4be0d48 9474 4be0d93 OpenSCManagerW 9473->9474 9476 4be0ddc 9474->9476 9477 357e4a CreateFileA 9478 357e59 9477->9478

    Executed Functions

    Function 00357B96 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 193 357b96-357bc1 196 357bc7 193->196 197 357bdb-357c10 CreateFileA 193->197 196->197 198 357c16-357c26 call 357c29 197->198 199 357eb2-357ec8 197->199 201 357ed0-357f36 199->201 202 357ece-357ecf 199->202 209 357f42-357f61 call 357f64 201->209 210 357f3c 201->210 202->201 210->209
    APIs
    • CreateFileA.KERNELBASE(?,D9CC1CA4,00000003), ref: 00357C09
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 23d51732ba2efadc04068603660a3773031e98c0461cb9f5ccdf68af0322a930
    • Instruction ID: 1a58cf27db95e3d258e3f434c5154b75e09182ca251d9242b5834dbe98d52e63
    • Opcode Fuzzy Hash: 23d51732ba2efadc04068603660a3773031e98c0461cb9f5ccdf68af0322a930
    • Instruction Fuzzy Hash: 9C21387210C209AEDB02DF65E951EBF3BA9DF80322F30845AEC42C3960C2711D54CB29
    Function 003B7AD1 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 264 3b7ad1-3b7aeb GetSystemInfo 265 3b7b2f-3b7b78 VirtualAlloc call 3b7e1d 264->265 266 3b7af1-3b7b29 264->266 270 3b7c5e-3b7c63 call 3b7c67 265->270 271 3b7b7e-3b7ba2 call 3b7e1d 265->271 266->265 278 3b7c65-3b7c66 270->278 271->270 277 3b7ba8-3b7bcc call 3b7e1d 271->277 277->270 281 3b7bd2-3b7bf6 call 3b7e1d 277->281 281->270 284 3b7bfc-3b7c09 281->284 285 3b7c2f-3b7c46 call 3b7e1d 284->285 286 3b7c0f-3b7c2a 284->286 289 3b7c4b-3b7c4d 285->289 290 3b7c59 286->290 289->270 291 3b7c53 289->291 290->278 291->290
    APIs
    • GetSystemInfo.KERNELBASE(?,-120F5FEC), ref: 003B7ADD
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 003B7B3E
    Memory Dump Source
    • Source File: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: f93e4f27444d9628a31f5a922b5bf9ea613152d28f53f02df4a7d9a1edc8d8e4
    • Instruction ID: 8ceb53bb3fa8eb963fc1ea464dd70f7d3bebdc46154726fb856299b20a72f03b
    • Opcode Fuzzy Hash: f93e4f27444d9628a31f5a922b5bf9ea613152d28f53f02df4a7d9a1edc8d8e4
    • Instruction Fuzzy Hash: 1841F4B1A44206EFE329CF60CC45B96BBACFF48744F1004A6A347DDD92D67595E48BA0
    Function 00354350 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: b640b0c4baab78fc1adcb9c2d45a2b278f418e23e0b685907f6c7936872d8073
    • Instruction ID: 0add735e74f3208ee7f4d6f94dbe2b0db42c4f3995ead5b27a370d2dfa83cefb
    • Opcode Fuzzy Hash: b640b0c4baab78fc1adcb9c2d45a2b278f418e23e0b685907f6c7936872d8073
    • Instruction Fuzzy Hash: F44165B250D200EFD309AF29D8425AEFBF9FF99350F16482EE6D682610C3344881CB97
    Function 001DB7DA Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 4f4b5987744ab379335d5ff0d4ae72ee5d297fc5004b533236c8103fca1b9ca6
    • Instruction ID: e1f129a611076a5051e8f0c2873536c34324e3fbd6e08f5ede0536ed4327e473
    • Opcode Fuzzy Hash: 4f4b5987744ab379335d5ff0d4ae72ee5d297fc5004b533236c8103fca1b9ca6
    • Instruction Fuzzy Hash: 20E0C2B110C5C9CEDF2ADF7089427A9360EEB50B04F920617FB438AF4ACB2D0D11879A
    Function 003AF0BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 003AF1CB
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 003AF1DF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: f2022bc735022118b2b1860d4be79f080b818e29e538571d5f3674c070380bd7
    • Instruction ID: a145b0cf55edb44e83625d5982c9724f229163dce71fae83277f61bb83525477
    • Opcode Fuzzy Hash: f2022bc735022118b2b1860d4be79f080b818e29e538571d5f3674c070380bd7
    • Instruction Fuzzy Hash: A231A031804206FFCF27EF90D909AAE7B79FF0A354F104179F9029A561DB3199A0DB91
    Function 003B84FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 3b84fd-3b850b 39 3b852e-3b8538 call 3b8392 38->39 40 3b8511-3b8523 38->40 45 3b853e 39->45 46 3b8543-3b854c 39->46 40->39 44 3b8529 40->44 47 3b868d-3b868f 44->47 45->47 48 3b8552-3b8559 46->48 49 3b8564-3b856b 46->49 48->49 50 3b855f 48->50 51 3b8571 49->51 52 3b8576-3b8586 49->52 50->47 51->47 52->47 53 3b858c-3b8598 call 3b8467 52->53 56 3b859b-3b859f 53->56 56->47 57 3b85a5-3b85af 56->57 58 3b85d6-3b85d9 57->58 59 3b85b5-3b85c8 57->59 60 3b85dc-3b85df 58->60 59->58 66 3b85ce-3b85d0 59->66 62 3b8685-3b8688 60->62 63 3b85e5-3b85ec 60->63 62->56 64 3b861a-3b8633 63->64 65 3b85f2-3b85f8 63->65 72 3b8639-3b8647 64->72 73 3b864c-3b8654 VirtualProtect 64->73 67 3b85fe-3b8603 65->67 68 3b8615 65->68 66->58 66->62 67->68 69 3b8609-3b860f 67->69 70 3b867d-3b8680 68->70 69->64 69->68 70->60 74 3b865a-3b865d 72->74 73->74 74->70 76 3b8663-3b867c 74->76 76->70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID: .exe$.exe
    • API String ID: 0-1392631246
    • Opcode ID: 467d985dceed4c4708a9cb2c0b88115a8a5bc46681a086f6f97dd078deef6faa
    • Instruction ID: fc9407e9efd4e3069049b6348d387b55c8cdcb470c7ac066b34a00ddfed5c027
    • Opcode Fuzzy Hash: 467d985dceed4c4708a9cb2c0b88115a8a5bc46681a086f6f97dd078deef6faa
    • Instruction Fuzzy Hash: 51418E71900205EFDB32DF14C944BEA77B8FF00318F164456EB12AB952DB70AC90DB61
    Function 003AF5C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 78 3af5c0-3af5d1 call 3aef24 81 3af5dc-3af5e5 call 3ad9e7 78->81 82 3af5d7 78->82 89 3af5eb-3af5f7 call 3ae0f9 81->89 90 3af619-3af620 81->90 83 3af670-3af674 82->83 85 3af67a-3af683 GetModuleHandleW 83->85 86 3af688-3af68b GetModuleHandleA 83->86 88 3af691 85->88 86->88 91 3af69b-3af69d 88->91 95 3af5fc-3af5fe 89->95 92 3af66b call 3ada92 90->92 93 3af626-3af62d 90->93 92->83 93->92 96 3af633-3af63a 93->96 95->92 98 3af604-3af609 95->98 96->92 99 3af640-3af647 96->99 98->92 100 3af60f-3af696 call 3ada92 98->100 99->92 101 3af64d-3af661 99->101 100->91 101->92
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,003AF552,?,00000000,00000000), ref: 003AF67D
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,003AF552,?,00000000,00000000), ref: 003AF68B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: d1afb7492383a41b7d502eb3e6facf9772dfebb5973e9fdb2cce11b72c4395b0
    • Instruction ID: 92173008a30af597ba84e60c4edaa1bbfadd7d6e52586d4e6b865899d00b13d8
    • Opcode Fuzzy Hash: d1afb7492383a41b7d502eb3e6facf9772dfebb5973e9fdb2cce11b72c4395b0
    • Instruction Fuzzy Hash: BE113C3010160AFEDB37EFA4C949B9EBB74FF02345F154235A802888B1DBB599E0DE95
    Function 003B1F1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 105 3b1f1a-3b1f28 106 3b1f3a 105->106 107 3b1f2e-3b1f35 105->107 108 3b1f41-3b1f57 call 3ad9e7 call 3ae14b 106->108 107->108 113 3b1f5d-3b1f6b call 3ae0f9 108->113 114 3b1f76 108->114 120 3b1f82-3b1f87 113->120 121 3b1f71 113->121 116 3b1f7a-3b1f7d 114->116 118 3b1fad-3b1fb4 call 3ada92 116->118 123 3b1f9e-3b1fa1 GetFileAttributesA 120->123 124 3b1f8d-3b1f99 GetFileAttributesW 120->124 121->116 125 3b1fa7-3b1fa8 123->125 124->125 125->118
    APIs
    • GetFileAttributesW.KERNELBASE(00EF0324,-120F5FEC), ref: 003B1F93
    • GetFileAttributesA.KERNEL32(00000000,-120F5FEC), ref: 003B1FA1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 91cadc344face9cc35525fd2ad26d0a64547ebfaf1b670a1681e16b280a2a506
    • Instruction ID: 93c4c61df0ad9aa80e4db1b49bfb5bbe68003bb9a73fd338c2dadad662e80cbb
    • Opcode Fuzzy Hash: 91cadc344face9cc35525fd2ad26d0a64547ebfaf1b670a1681e16b280a2a506
    • Instruction Fuzzy Hash: 64018171508205FAEB23DF64C819BFC7E74EF01348FA48225E60369C90D7B49B91EB00
    Function 003611B7 Relevance: 4.6, APIs: 3, Instructions: 133registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 126 3611b7-363662 131 363664-36367f RegOpenKeyA 126->131 132 36368b-3636a6 RegOpenKeyA 126->132 131->132 133 363681 131->133 134 3636be-3636ea 132->134 135 3636a8-3636b2 132->135 133->132 138 3636f7-363701 134->138 139 3636ec-3636f5 GetNativeSystemInfo 134->139 135->134 140 363703 138->140 141 36370d-36371b 138->141 139->138 140->141 143 363727-36372e 141->143 144 36371d 141->144 145 363734-36373b 143->145 146 363741 143->146 144->143 145->146 147 363e2a-363e31 145->147 148 363dd2-363dd9 146->148 149 363e37-36453d 147->149 150 362590-363bbd 147->150 151 3664d8-366d92 148->151 149->151 150->148
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00363677
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0036369E
    • GetNativeSystemInfo.KERNELBASE(?), ref: 003636F5
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 90eef1cbe939094e311369fee0c3e7ee2fb35c561321ffa1b2926e8d5e76396e
    • Instruction ID: 804b8a2610406ac475863096bb8da4691c9685a774c3a72b2ea510547cb5990e
    • Opcode Fuzzy Hash: 90eef1cbe939094e311369fee0c3e7ee2fb35c561321ffa1b2926e8d5e76396e
    • Instruction Fuzzy Hash: 9451B5B140860EDFDB12DF24DC446AF77E8FF44310F228929E88286A44DB729DA4DF59
    Function 003ADF9A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 162 3adf9a-3adfca 164 3adfd0-3adfe5 162->164 165 3ae0f5-3ae0f6 162->165 164->165 167 3adfeb-3adfef 164->167 168 3ae011-3ae018 167->168 169 3adff5-3ae007 PathAddExtensionA 167->169 170 3ae03a-3ae041 168->170 171 3ae01e-3ae02d call 3adc3b 168->171 172 3ae010 169->172 174 3ae083-3ae08a 170->174 175 3ae047-3ae04e 170->175 176 3ae032-3ae034 171->176 172->168 179 3ae0ac-3ae0b3 174->179 180 3ae090-3ae0a6 call 3adc3b 174->180 177 3ae067-3ae076 call 3adc3b 175->177 178 3ae054-3ae05d 175->178 176->165 176->170 189 3ae07b-3ae07d 177->189 178->177 183 3ae063 178->183 181 3ae0b9-3ae0cf call 3adc3b 179->181 182 3ae0d5-3ae0dc 179->182 180->165 180->179 181->165 181->182 182->165 188 3ae0e2-3ae0ef call 3adc74 182->188 183->177 188->165 189->165 189->174
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 003ADFFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 942f079b21ae73ae764b7f668839084463d7d981b1fe8db6c3f25a7b6971f524
    • Instruction ID: fc6008bfaced5b0883a8c6312a1210512092ac5c5fd4f4b7e2188f56aa570c27
    • Opcode Fuzzy Hash: 942f079b21ae73ae764b7f668839084463d7d981b1fe8db6c3f25a7b6971f524
    • Instruction Fuzzy Hash: 48313C31900209BFDF22EF99CD09F9EBB76FF0A300F000155F901A6461D7B29961DB55
    Function 00357E4A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 214 357e4a-357e53 CreateFileA 215 357e5f-357e60 214->215 216 357e59 214->216 217 357e66-357e79 call 357e7c 215->217 218 357eb2-357ec8 215->218 216->215 220 357ed0-357f36 218->220 221 357ece-357ecf 218->221 227 357f42-357f61 call 357f64 220->227 228 357f3c 220->228 221->220 228->227
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 1709bff2f2027e5d65a796e62ad728770f23c5ca8b2a090b438449484c9a5598
    • Instruction ID: 8d53af91ede1a71058948083da7dfb362118c9d5a2f94216f7c9f087420ad084
    • Opcode Fuzzy Hash: 1709bff2f2027e5d65a796e62ad728770f23c5ca8b2a090b438449484c9a5598
    • Instruction Fuzzy Hash: 0011E17260C24EAEDB02DF64E841EAF7B66EF81322F60815AEC05D3E61C6721C558B58
    Function 00357A03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 357a03-357a24 CreateFileA 234 357eb2-357ec8 232->234 235 357a2a-357a32 call 357a35 232->235 237 357ed0-357f36 234->237 238 357ece-357ecf 234->238 235->234 244 357f42-357f61 call 357f64 237->244 245 357f3c 237->245 238->237 245->244
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: fcc4c3dbfa5361a90a033933b5e0ffefbf854e84bf5ead66b4ba86d5f81692cc
    • Instruction ID: 0d1c8a94e91cd85b5d36e9bf1c2c1515145fee8eb85313310fa13a6e9ec84aa8
    • Opcode Fuzzy Hash: fcc4c3dbfa5361a90a033933b5e0ffefbf854e84bf5ead66b4ba86d5f81692cc
    • Instruction Fuzzy Hash: 8701D27150C24E9BDB02DF64D881FAE3BA5EF41322F204159EC0593D61C2B21D558B58
    Function 003AF6A9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 249 3af6a9-3af6bc call 3ad9e7 252 3af6ff-3af713 call 3ada92 GetModuleHandleExA 249->252 253 3af6c2-3af6ce call 3ae0f9 249->253 259 3af71d-3af71f 252->259 256 3af6d3-3af6d5 253->256 256->252 258 3af6db-3af6e2 256->258 260 3af6eb-3af718 call 3ada92 258->260 261 3af6e8 258->261 260->259 261->260
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 003AF70D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 72702433bf8222ccdd7fba785684e0b4950e3e2a21a2fe8a5af24f944023fb33
    • Instruction ID: 3b621f21aa326d83fb34c6e85de62b4c9eefc6203008571f0f9947156f575ecc
    • Opcode Fuzzy Hash: 72702433bf8222ccdd7fba785684e0b4950e3e2a21a2fe8a5af24f944023fb33
    • Instruction Fuzzy Hash: 0AF03071104205AFDF12DF94D945AAE7BA4FF19340F508125FD074D561D771C461AB51
    Function 003B2136 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 292 3b2136-3b2144 293 3b214a-3b2151 292->293 294 3b2156 292->294 295 3b215d-3b2169 call 3ad9e7 293->295 294->295 298 3b216f-3b2179 call 3b2043 295->298 299 3b2184-3b2194 call 3b20e8 295->299 298->299 306 3b217f 298->306 304 3b219a-3b21a1 299->304 305 3b21a6-3b21b4 call 3ae0f9 299->305 307 3b21c5-3b21ca 304->307 305->307 312 3b21ba-3b21bb call 3af93d 305->312 306->307 310 3b21f3-3b2208 CreateFileA 307->310 311 3b21d0-3b21ee CreateFileW 307->311 313 3b220e-3b220f 310->313 311->313 316 3b21c0 312->316 315 3b2214-3b221b call 3ada92 313->315 316->315
    APIs
    • CreateFileW.KERNELBASE(00EF0324,?,?,-120F5FEC,?,?,?,-120F5FEC,?), ref: 003B21E8
      • Part of subcall function 003B20E8: IsBadWritePtr.KERNEL32(?,00000004), ref: 003B20F6
    • CreateFileA.KERNEL32(?,?,?,-120F5FEC,?,?,?,-120F5FEC,?), ref: 003B2208
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 05f8ded46314233569946e8062cc6af0dc4cfa5dc46b0fd48ece8914de5eb666
    • Instruction ID: 55ed0665332fccf1fef918c6ec7b3525df6e1d7a0454e5b25e63dc839b03ffe6
    • Opcode Fuzzy Hash: 05f8ded46314233569946e8062cc6af0dc4cfa5dc46b0fd48ece8914de5eb666
    • Instruction Fuzzy Hash: C411237110014AFBEF139FA8CD09BDE3E72BF09348F148215BB1668860D776C9A2EB51
    Function 003B1AA2 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 319 3b1aa2-3b1ab8 call 3ad9e7 GetCurrentProcess 322 3b1afa-3b1b1c call 3ada92 DuplicateHandle 319->322 323 3b1abe-3b1ac1 319->323 329 3b1b26-3b1b28 322->329 323->322 324 3b1ac7-3b1aca 323->324 324->322 326 3b1ad0-3b1ae3 call 3ad841 324->326 326->322 331 3b1ae9-3b1b21 call 3af83f call 3ada92 326->331 331->329
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • GetCurrentProcess.KERNEL32(-120F5FEC), ref: 003B1AAF
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 003B1B15
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: b234025021a082309d192944fd2647caa41c60dfa7b9183f4319707fd8fd1df9
    • Instruction ID: bc547f5ca7442f6dacc2a1cbf86b793281dcb8e5b1b5a837d9e25a5237609353
    • Opcode Fuzzy Hash: b234025021a082309d192944fd2647caa41c60dfa7b9183f4319707fd8fd1df9
    • Instruction Fuzzy Hash: 0401E43210010AFA8F23EFA4DC19CDE3B39FFA9354B408115FA0799821DB75D462EBA1
    Function 003B7E74 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 336 3b7e74-3b7e7f 337 3b7eae-3b7ebb 336->337 338 3b7e85-3b7ea7 VirtualAlloc 336->338 340 3b7eec-3b7eee 337->340 341 3b7ec1-3b7ecd 337->341 338->337 343 3b7ed3-3b7ed6 341->343 344 3b7edc-3b7edf 343->344 345 3b7ee4-3b7ee9 343->345 344->343 345->340
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,v{;,003B7E70,?,?,?,?,?,v{;,?,?,003B7B76), ref: 003B7E94
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: v{;
    • API String ID: 4275171209-3539829993
    • Opcode ID: 1e6e5a3494c9a6822083a16eb23d4c7c2e46b3f531e93e9df8c3bbf3b4f8ad26
    • Instruction ID: 11abe7e1286fbdee299bf4fc39b3392422efb194123c86bbd5dadb38a3e0a3ca
    • Opcode Fuzzy Hash: 1e6e5a3494c9a6822083a16eb23d4c7c2e46b3f531e93e9df8c3bbf3b4f8ad26
    • Instruction Fuzzy Hash: B8F0F4B1904209EFD721CF04CD08B9ABBE5FF84311F1184A4F54AAB991D7B08CC0CB50
    Function 00354219 Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 6578946c4244f676de84c163659d52f9ebdbc2d89d82d37c909896d7d7bc5524
    • Instruction ID: 4dcc6ff52ba9ab525a0db56b396b22690118720347054bd2034c6f54974e1f26
    • Opcode Fuzzy Hash: 6578946c4244f676de84c163659d52f9ebdbc2d89d82d37c909896d7d7bc5524
    • Instruction Fuzzy Hash: D43160F250C604AFE7166F49EC81ABEFBE9EF89360F11482DF6C4C2640E63558408B97
    Function 003B0121 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 003B01D6
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4dda36834c386ff92e194568a2dc598914bb4efc1dffaa2801d6b4d2fc9126ff
    • Instruction ID: a3ed6ebf8f5e406616c5e83a60e62c832bc1e0892254ae676d43512c6cf51aaa
    • Opcode Fuzzy Hash: 4dda36834c386ff92e194568a2dc598914bb4efc1dffaa2801d6b4d2fc9126ff
    • Instruction Fuzzy Hash: 36318D71900204BEEB26DFA8DC49F9EBBB8FF44728F208169F615AA591C771A941DB10
    Function 003AF93D Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 003AF9BF
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: fa7ee5e941c1d0a430a2cd79ff711db1dd2d806f3dc4b78e326eecfbcea7b27a
    • Instruction ID: 963872f8ad3deba8b2b8c715c4eeacb09ceef49e987eafed95eefbea1c8f1e60
    • Opcode Fuzzy Hash: fa7ee5e941c1d0a430a2cd79ff711db1dd2d806f3dc4b78e326eecfbcea7b27a
    • Instruction Fuzzy Hash: C6319171600204BEEB21DFA8DC45F9AB7B8FB05728F208269F615AE1D1D7B1A5428B54
    Function 003B824A Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 003B82F7
    Memory Dump Source
    • Source File: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: fbeaf42916b4077569068e931a3f7d247a474c6c5d5733f038b86b5ed1ce34f7
    • Instruction ID: ab5e243a41429fc4aead661d378a6b525651af6b23cc9a18bc4e2945497b4f75
    • Opcode Fuzzy Hash: fbeaf42916b4077569068e931a3f7d247a474c6c5d5733f038b86b5ed1ce34f7
    • Instruction Fuzzy Hash: C5118779E01225DBEB325F04CD44BEA77BCAF14B58F514095A609A6840EF709DC0CBA1
    Function 04BE0D41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04BE0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 521e0b98d901163a95c9624bfae4003cb6570d71643960f01bbe726d5888c933
    • Instruction ID: 2ccb94cc52bf2ebc61071735a85b46b0ba92f561ca5469de48ab7eef69d56370
    • Opcode Fuzzy Hash: 521e0b98d901163a95c9624bfae4003cb6570d71643960f01bbe726d5888c933
    • Instruction Fuzzy Hash: 312134B6C002199FDB50DF9AD884BDEFBF4EF88720F14855AE908AB244D774A540CBA5
    Function 04BE0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04BE0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 891fc54ffb57fe7e2e3651e310c18288d0737008635a9cf86ead38ed99239e1e
    • Instruction ID: 6b6f634cbb3a2cdcefba8104f5d4ffd9bee87fa1437571eabf63ad54f52d07c1
    • Opcode Fuzzy Hash: 891fc54ffb57fe7e2e3651e310c18288d0737008635a9cf86ead38ed99239e1e
    • Instruction Fuzzy Hash: 292113B6C012199FDB50DF9AD884BDEFBF4EB88720F14855AD908AB244D774A540CBA4
    Function 04BE1509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04BE1580
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 74d52559d815fd954dc3004f54162d31df4582681db583f5385f326312096f96
    • Instruction ID: fd14ac47daf5addc7f5dc42075b81764177eaf275363a09e2385c79a6ddf8bec
    • Opcode Fuzzy Hash: 74d52559d815fd954dc3004f54162d31df4582681db583f5385f326312096f96
    • Instruction Fuzzy Hash: 472117B1900249DFDB10CF9AC584BDEFBF4EB88320F10842AE558A7250D378A644CFA5
    Function 04BE1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04BE1580
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 2f352e29cc2de58d94bf0133f9645f7d163c99698df9fec2fdb84853b930d1b6
    • Instruction ID: 59b32ddbf7da5f1f1d44ec5f312949bddaa5d5428f892076ce7d2dec56c75a4b
    • Opcode Fuzzy Hash: 2f352e29cc2de58d94bf0133f9645f7d163c99698df9fec2fdb84853b930d1b6
    • Instruction Fuzzy Hash: F011E4B1900249DFDB10CF9AC584BDEFBF4EB88324F20842AE559A7250D378A644CFA5
    Function 003B2C6E Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-120F5FEC), ref: 003B2CF5
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 41b3a2e7e799d2992e88d83379e219eb1dd52e5b1299312fb9bdde047099e8fb
    • Instruction ID: d3e269cd99f317b3ab576502298844f947e67929a65237571636365a2f37cf11
    • Opcode Fuzzy Hash: 41b3a2e7e799d2992e88d83379e219eb1dd52e5b1299312fb9bdde047099e8fb
    • Instruction Fuzzy Hash: 8011933210020ABACF179FA4DC09DDF3A6AFF59349B154615FA1259821C736C4B1EB61
    Function 003B2A56 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 578f9b454cf27d3e1465a535e1ed2854343f46ac504b98b0e82cbf4fe497f796
    • Instruction ID: a9859f7523ba4b3cee80eec95434dbbb397160fa1ed1b2fc9eacc8aead575409
    • Opcode Fuzzy Hash: 578f9b454cf27d3e1465a535e1ed2854343f46ac504b98b0e82cbf4fe497f796
    • Instruction Fuzzy Hash: B6115B3210420AEACF23EFA4C909EDF3BA9BF45348F118215FA0259861DB35C962EB51
    Function 04BE1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04BE1367
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 00ee6b7391a9c64d07a1954585bf9268e2df8ee09819fbd183dcd9063fcab53a
    • Instruction ID: 5a7a096229af9ebf8ccef024d6b472b520765df8e89127439e83d61bfe6602c0
    • Opcode Fuzzy Hash: 00ee6b7391a9c64d07a1954585bf9268e2df8ee09819fbd183dcd9063fcab53a
    • Instruction Fuzzy Hash: B21143B1800209CFEB10CF9AC445BEEFBF8EB88324F20846AD558A3640D378A540CBA5
    Function 04BE1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04BE1367
    Memory Dump Source
    • Source File: 00000000.00000002.2250318017.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4be0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 2ab3d219dda44f7f6b771053339d6f07c397a0d11c034b671519433aca0d38ad
    • Instruction ID: cac3e61213035f0f787c5990a55b5e91f9bea3c81b7cfad9471b32d901442046
    • Opcode Fuzzy Hash: 2ab3d219dda44f7f6b771053339d6f07c397a0d11c034b671519433aca0d38ad
    • Instruction Fuzzy Hash: 881136B1800249CFDB10CF9AC445BEEFBF8EB48324F20845AD558A3250D778A544CFA5
    Function 003B233A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-120F5FEC,?,?,003B0069,?,?,00000400,?,00000000,?,00000000), ref: 003B23A6
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: e7474a920a2d4619d2abdb1043498a573ac35d350a2f9e52e79b85148f0862aa
    • Instruction ID: 095e5c82f84d48e8909f9071d0447c9cc9381cc7d85eb7f3e5168eda13cb2dd3
    • Opcode Fuzzy Hash: e7474a920a2d4619d2abdb1043498a573ac35d350a2f9e52e79b85148f0862aa
    • Instruction Fuzzy Hash: 4FF0B63610410AEBCF139F98C809D9E3B6AFF55344F408221FA0A59821D73AC8A1EB61
    Function 00357BBB Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,D9CC1CA4,00000003), ref: 00357C09
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6b427de337464ded397b56ef06ad63fae35e8a086c63c1592a077980d7f097f7
    • Instruction ID: de3d2fdaae57e1e79e5c081db028f28e8595f42dd4d6d8128bef251758dc84b6
    • Opcode Fuzzy Hash: 6b427de337464ded397b56ef06ad63fae35e8a086c63c1592a077980d7f097f7
    • Instruction Fuzzy Hash: 5BF0EC7600D1056EEB11DE31A5B5EBF37B8DFC5361F21485AECC2CA491C4241D89C732
    Function 00357BD4 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,D9CC1CA4,00000003), ref: 00357C09
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ad96cce977fd7251b854859b4c13d81cae6ac456c6e837949b6d9fe01052ed02
    • Instruction ID: 537d965385d435d47d1202c372d00ab0c8efa9adaa96c71d33fc15a62efc0c9f
    • Opcode Fuzzy Hash: ad96cce977fd7251b854859b4c13d81cae6ac456c6e837949b6d9fe01052ed02
    • Instruction Fuzzy Hash: 25F0E57604C21A6EF605DE36A965DBF37A8DBC4770F50892AE896CB0C0C9241D89C731
    Function 00361CA5 Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 7fb12aad3fdc6c431e7e30a7ab4a03b3f42cfbdcd137a0e124a014255c286ec2
    • Instruction ID: a643ab7db22722be179576bdec1d83e0e478ac81df71f374670b3bf1394232d7
    • Opcode Fuzzy Hash: 7fb12aad3fdc6c431e7e30a7ab4a03b3f42cfbdcd137a0e124a014255c286ec2
    • Instruction Fuzzy Hash: 2BF0DFB450C745DFC300AF2584C542ABBF8EF08B04F11891DAAC587625C2758891EB17
    Function 003ADBB8 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 08299f2031194a90290e7c78f90d8701c17a038ff683f4ab82a73740884a6a6e
    • Instruction ID: 272fa56c4cc637748bcf735b518ea66476d9ec6b31ea565d4a43824764b40a95
    • Opcode Fuzzy Hash: 08299f2031194a90290e7c78f90d8701c17a038ff683f4ab82a73740884a6a6e
    • Instruction Fuzzy Hash: E901E83560011DBFDF129FA4CC45D9EBB7AFF49390F400161F406A8861D7329661EB60
    Function 001DE84D Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 001DF6C0
    Memory Dump Source
    • Source File: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 66f01293d0c978132efe7f0dd81cfa318e5a860b3489a4e5df26c4378af65f90
    • Instruction ID: 74c03e57f605b54a15004fb6a70f76be39f6fafd9a094473f323430910ac1786
    • Opcode Fuzzy Hash: 66f01293d0c978132efe7f0dd81cfa318e5a860b3489a4e5df26c4378af65f90
    • Instruction Fuzzy Hash: 02012CB550C604CFE7086F28C44556EBBF5EF84310F26462EA4D787794D7319D52DA43
    Function 003B073B Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • CloseHandle.KERNELBASE(003B00FE,-120F5FEC,?,?,003B00FE,?), ref: 003B0779
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 28e044c0fc575c575aedcb39228001d61790a98ac2aa4c5edde6c39dbf7940c3
    • Instruction ID: 8de6a3ec89bbaf9d9743629f78b4482ef94c689c06e28a390b3f095be0330628
    • Opcode Fuzzy Hash: 28e044c0fc575c575aedcb39228001d61790a98ac2aa4c5edde6c39dbf7940c3
    • Instruction Fuzzy Hash: C7E048A2104642B5CE17AAB9DC4ED8F5B2CEFD1384B004131B1038DC55EE24D492D561
    Function 001DE8EC Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 001DE8F1
    Memory Dump Source
    • Source File: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 26aae683ae997786264ce7f2555af0c3cb4a45ddecafa86c3d4734b3e80743bc
    • Instruction ID: 4ef6cfb2c21e6bd581b2daa401e3adeff5ca52900a78e945729883d9d786a810
    • Opcode Fuzzy Hash: 26aae683ae997786264ce7f2555af0c3cb4a45ddecafa86c3d4734b3e80743bc
    • Instruction Fuzzy Hash: C2E0C27510C1089FDF406E24CC4877EB6D8DF80345F660419AA46C7340D2700C018692
    Function 003AF800 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,003AD886,?,?), ref: 003AF806
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 6a02a8149c03e38a53801e0a92615008056f590d9cd729a400223a9f1b618eb9
    • Instruction ID: 5476d8ba3e42d5ae6512f1f3ef797c8276f03ae1a09eb33898c3fb4171ea99e3
    • Opcode Fuzzy Hash: 6a02a8149c03e38a53801e0a92615008056f590d9cd729a400223a9f1b618eb9
    • Instruction Fuzzy Hash: C6B09231000509BFCB42FF95DC06C4DBF69FF16398B10C120F906480228B72E962EBE4

    Non-executed Functions

    Function 00351000 Relevance: 4.2, Strings: 3, Instructions: 476COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID: ?K[$Qq>U$|u9K
    • API String ID: 0-8054802
    • Opcode ID: 4889b38455e9d608ba905436803dd89cc78c83c45da75d3f298087cf71b1460a
    • Instruction ID: 1f2e9080a0eef8774c117eda138e055ef1d31faa23932613ceeef07108eff36b
    • Opcode Fuzzy Hash: 4889b38455e9d608ba905436803dd89cc78c83c45da75d3f298087cf71b1460a
    • Instruction Fuzzy Hash: 58E1F5F360C2049FE308AF29EC8577ABBE9EF94320F16493DE6C4C7344EA7558458696
    Function 003B1B34 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
    • GetSystemTime.KERNEL32(?,-120F5FEC), ref: 003B1B69
    • GetFileTime.KERNEL32(?,?,?,?,-120F5FEC), ref: 003B1BAC
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: ba4681e6f4b63b5b33e11c75e3b082d365b73cc1d7840cb3b8c393e3e87842ae
    • Instruction ID: 40a15cb2d9f7617aab290d52523237e5529fa1095e9fd39b7a60ee0b09f352a8
    • Opcode Fuzzy Hash: ba4681e6f4b63b5b33e11c75e3b082d365b73cc1d7840cb3b8c393e3e87842ae
    • Instruction Fuzzy Hash: F001EC3210014AFBCB229F59DC1DD9F7F79FF86754B508222F50249861EB32D861DB61
    Function 003B29F2 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 003B2A39
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 2529c1ade4e382df5a0c0456dfcd92243d6cfb89587cf8f461859b581a0185ba
    • Instruction ID: e19e60f7f6c27be4a37149c7ffcf59ada3e83006ea85caf23e4fb9053aaa418b
    • Opcode Fuzzy Hash: 2529c1ade4e382df5a0c0456dfcd92243d6cfb89587cf8f461859b581a0185ba
    • Instruction Fuzzy Hash: E2F0F83260010AEFCF12CF94C904A8D7BB2FF14308B108125FA1596920D775DA71EF40
    Function 00353742 Relevance: .2, Instructions: 159COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2248994dc836659d5bb1766c08c2109cae5c971d0b6fd181f8d89883ef1a619d
    • Instruction ID: fa4b651eb02b578917ed3b9965f3143c54a595ec3d7d0cd6ba3b647b4eae0927
    • Opcode Fuzzy Hash: 2248994dc836659d5bb1766c08c2109cae5c971d0b6fd181f8d89883ef1a619d
    • Instruction Fuzzy Hash: 3B51DBA250E7CA6FC707CB384878699BFA0AE5710470D86CFD8D54FAA3D315A21AD713
    Function 00354357 Relevance: .1, Instructions: 120COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 12a1eede3fd0391f1a898efcdb332fb61673ade5566b52599e2f7ed42f4bad1e
    • Instruction ID: 0d161090222cf657eeb517a84014f9117912a72f4a4704a5cfab8d082cd79c1c
    • Opcode Fuzzy Hash: 12a1eede3fd0391f1a898efcdb332fb61673ade5566b52599e2f7ed42f4bad1e
    • Instruction Fuzzy Hash: 404169B250D210EFD30AAF29D8415AAFBF5FF99310F1A886EE1C687611D3354881CB97
    Function 00354B63 Relevance: .1, Instructions: 113COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09fcec0fc3dbf837548f28ca9e2ec40e50fabdc22a959aef58bdb68e4b06e3e5
    • Instruction ID: b860327af2d5a47797c9880b6033ee13d7d3dd28d00a595606ae52c074ca33cd
    • Opcode Fuzzy Hash: 09fcec0fc3dbf837548f28ca9e2ec40e50fabdc22a959aef58bdb68e4b06e3e5
    • Instruction Fuzzy Hash: 10317EB250C704AFE715BF29E88467AFBE4FF48314F16492DEAD482600D7365984CB97
    Function 00354B85 Relevance: .1, Instructions: 111COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 07b24c2a8607fbf2d7d70286ab909b999c3a5c6e3eaf26261311424b54e6b739
    • Instruction ID: 3d36de14a86dc600455d975894397b8f267db90d6d759b52de1c7145b9d6c7ae
    • Opcode Fuzzy Hash: 07b24c2a8607fbf2d7d70286ab909b999c3a5c6e3eaf26261311424b54e6b739
    • Instruction Fuzzy Hash: 35318DB250C704AFE7157F29E8846BAFBE4FF48360F06492DEAC482A00D7355944CB93
    Function 00448A04 Relevance: .1, Instructions: 82COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 62debd93ee29725052442ee944ba2278675bde57b32705c02a0cae4db1f8b4c0
    • Instruction ID: 472f765d1433b21c1c957659bf8a768984a96348b4a4ec832a9a03eac44fab1c
    • Opcode Fuzzy Hash: 62debd93ee29725052442ee944ba2278675bde57b32705c02a0cae4db1f8b4c0
    • Instruction Fuzzy Hash: 47213BB290C5148FE709BE18985003EB7D5BF94350F2A452FD5C6B7604FEB9541297CB
    Function 003B106A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003AD9E7: GetCurrentThreadId.KERNEL32 ref: 003AD9F6
      • Part of subcall function 003B20E8: IsBadWritePtr.KERNEL32(?,00000004), ref: 003B20F6
    • wsprintfA.USER32 ref: 003B10B0
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 003B1174
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 5e4c4d991123d0034cf011c081fa7a4f89e0abe23bd451cb16cc5791deb6cbed
    • Instruction ID: fbf8282f1b2a9078134c937733c754a0f9f17e70a6749076dba9718013a59c06
    • Opcode Fuzzy Hash: 5e4c4d991123d0034cf011c081fa7a4f89e0abe23bd451cb16cc5791deb6cbed
    • Instruction Fuzzy Hash: 5231387190010AFBCF12DF98DC09EEEBB79FF89310F108125F612A6661D7719A61EB61
    Function 003B1C3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00EF0324,00004020,00000000,-120F5FEC), ref: 003B1D28
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2247856911.00000000003A4000.00000040.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
    • Associated: 00000000.00000002.2247385234.00000000001D0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247402958.00000000001D2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247424748.00000000001D6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247442044.00000000001DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247461120.00000000001E4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247476786.00000000001E5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247492924.00000000001E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247610527.000000000033D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247632281.0000000000340000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247662851.000000000035E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247706313.0000000000368000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247726827.0000000000369000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247748911.0000000000372000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247768212.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247790170.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247806820.0000000000379000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247830204.0000000000390000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247878549.00000000003B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247898229.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247918548.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247941068.00000000003C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247964551.00000000003CE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2247982572.00000000003D3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248001773.00000000003DB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248019998.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248039785.00000000003E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248058690.00000000003EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248077320.00000000003EB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248098400.00000000003EE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248115910.00000000003EF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248134726.00000000003F0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248160230.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248180135.00000000003F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248199977.00000000003F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248220805.00000000003FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248240095.00000000003FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248258627.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248275714.0000000000402000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248300280.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248320039.000000000041A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248337323.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000461000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248397664.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248434205.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248452681.000000000047A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1d0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 7d244472630b58a29b7541b459fae0e3bff9da3453a4b1d2132f29d339106455
    • Instruction ID: 4b6721c2f46f6ec19de31be8e80d418daffa9163560deb66ef4985a72fcc5e29
    • Opcode Fuzzy Hash: 7d244472630b58a29b7541b459fae0e3bff9da3453a4b1d2132f29d339106455
    • Instruction Fuzzy Hash: 313157B1504705EFDB268F54C888B9ABFB4FF08344F508519EA566BA50C3B0AAA5DB90