Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558872
MD5:333b260426a661dcadd5c016ab149ecb
SHA1:0f87cec4227cf24cdea86a82b632d45488875e77
SHA256:afcc403016c3fbbb10e732010bbc93854c1e1be63df48c91901acd7e05aa0e2c
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5232 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 333B260426A661DCADD5C016AB149ECB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2130016834.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0437E0_2_00F0437E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F043510_2_00F04351
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0433F0_2_00F0433F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04A990_2_00F04A99
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D95AAE0_2_00D95AAE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04A8C0_2_00F04A8C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04C270_2_00F04C27
Source: file.exe, 00000000.00000000.2118679160.0000000000D86000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 36%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2766848 > 1048576
Source: file.exeStatic PE information: Raw size of ihewwctv is bigger than: 0x100000 < 0x29d600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2130016834.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W;ihewwctv:EW;macjzflx:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2af9f8 should be: 0x2a8c26
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ihewwctv
Source: file.exeStatic PE information: section name: macjzflx
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0402C push edi; mov dword ptr [esp], esi0_2_00F040E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0402C push 1B8E2D2Eh; mov dword ptr [esp], esi0_2_00F04102
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0402C push 7F479337h; mov dword ptr [esp], ebp0_2_00F04113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E6DB push ecx; mov dword ptr [esp], 2FAF5240h0_2_00D8F4D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E6DB push ecx; mov dword ptr [esp], ebp0_2_00D8F4F8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push edx; mov dword ptr [esp], ecx0_2_00F03F05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push 60062D5Ch; mov dword ptr [esp], edi0_2_00F03F2E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push edx; mov dword ptr [esp], 7CFF2500h0_2_00F03F56
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push 2DAED801h; mov dword ptr [esp], edi0_2_00F03F88
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push edx; mov dword ptr [esp], esi0_2_00F03FA7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F03EE5 push 127D28B1h; mov dword ptr [esp], ecx0_2_00F03FF2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F130EA push 19B97104h; mov dword ptr [esp], esi0_2_00F15ED1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F110EC push 3F92F8C7h; mov dword ptr [esp], ebx0_2_00F112B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F110EC push ebp; mov dword ptr [esp], 2D95BB24h0_2_00F123FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8C09C push eax; mov dword ptr [esp], ebp0_2_00D8C0C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F150B5 push edx; mov dword ptr [esp], esi0_2_00F150B6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9209E push ebp; mov dword ptr [esp], eax0_2_00D920A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F260AB push ebp; mov dword ptr [esp], esp0_2_00F260F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04092 push edi; mov dword ptr [esp], esi0_2_00F040E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04092 push 1B8E2D2Eh; mov dword ptr [esp], esi0_2_00F04102
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F04092 push 7F479337h; mov dword ptr [esp], ebp0_2_00F04113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A09A push esi; ret 0_2_00F1A0A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1107C push eax; mov dword ptr [esp], ebx0_2_00F12065
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1707F push 0D671457h; mov dword ptr [esp], ebx0_2_00F18E8B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F050 push eax; mov dword ptr [esp], 55631020h0_2_00F0F05C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCA05B push 31EFD221h; mov dword ptr [esp], edx0_2_00FCA08B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0405A push edi; mov dword ptr [esp], esi0_2_00F040E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0405A push 1B8E2D2Eh; mov dword ptr [esp], esi0_2_00F04102
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0405A push 7F479337h; mov dword ptr [esp], ebp0_2_00F04113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F044 push 29426860h; mov dword ptr [esp], edi0_2_00F0F8B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F11045 push esi; mov dword ptr [esp], ecx0_2_00F11050
Source: file.exeStatic PE information: section name: entropy: 7.817006744565816

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04D8B second address: F04D95 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7114E04ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03D80 second address: F03D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F7114E04BBBh 0x0000000c jg 00007F7114E04BB6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0406B second address: F0406F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0406F second address: F0407D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F7114E04BB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F041B4 second address: F041BE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7114E04AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F041BE second address: F041C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F041C4 second address: F041DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F041DA second address: F041E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7114E04BB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04370 second address: F04375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04375 second address: F0439D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC1h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F7114E04BBEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0450F second address: F04513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F046B8 second address: F046BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08381 second address: F0838A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08412 second address: F08444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 je 00007F7114E04BC2h 0x0000000d jc 00007F7114E04BBCh 0x00000013 mov dword ptr [ebp+122D2A6Eh], ebx 0x00000019 sub dword ptr [ebp+122D2C28h], ebx 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D311Eh], esi 0x00000027 push 614D1699h 0x0000002c pushad 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08444 second address: F08498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7114E04AC3h 0x0000000a popad 0x0000000b xor dword ptr [esp], 614D1619h 0x00000012 mov edi, dword ptr [ebp+122D3A22h] 0x00000018 push 00000003h 0x0000001a mov cl, 21h 0x0000001c push 00000000h 0x0000001e pushad 0x0000001f push eax 0x00000020 sub dword ptr [ebp+122D1E5Dh], ebx 0x00000026 pop esi 0x00000027 movsx edi, bx 0x0000002a popad 0x0000002b push 00000003h 0x0000002d mov dword ptr [ebp+122D311Eh], ebx 0x00000033 call 00007F7114E04AB9h 0x00000038 push eax 0x00000039 push edx 0x0000003a js 00007F7114E04AB8h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08498 second address: F084F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7114E04BCFh 0x00000008 jmp 00007F7114E04BC9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 jmp 00007F7114E04BBCh 0x00000017 pop eax 0x00000018 pushad 0x00000019 je 00007F7114E04BB6h 0x0000001f jnl 00007F7114E04BB6h 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b push edx 0x0000002c jmp 00007F7114E04BBDh 0x00000031 pop edx 0x00000032 mov eax, dword ptr [eax] 0x00000034 jnl 00007F7114E04BC8h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F084F9 second address: F084FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F086D7 second address: F086DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08764 second address: F087AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jl 00007F7114E04AC7h 0x00000011 pushad 0x00000012 jmp 00007F7114E04ABDh 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7114E04ABFh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F087AD second address: F087D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F7114E04BB6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F087D4 second address: F087DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F087DA second address: F087F7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7114E04BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7114E04BBAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28353 second address: F28369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEED9B second address: EEED9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26282 second address: F26286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26286 second address: F26298 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7114E04BB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26298 second address: F2629C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26847 second address: F26854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26854 second address: F26858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F269F7 second address: F269FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F269FD second address: F26A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26A01 second address: F26A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jns 00007F7114E04BB6h 0x00000014 jo 00007F7114E04BB6h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jng 00007F7114E04BB8h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26A39 second address: F26A3E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26E73 second address: F26E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26E8C second address: F26E91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D788 second address: F1D794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7114E04BB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D794 second address: F1D7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7114E04AB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F7114E04AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F279C1 second address: F279F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC7h 0x00000009 popad 0x0000000a jmp 00007F7114E04BC5h 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27B79 second address: F27B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27B7D second address: F27B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27B87 second address: F27B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E6E second address: F27E80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BBCh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E80 second address: F27EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC6h 0x00000007 jl 00007F7114E04ABCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F838 second address: F2F83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F94A second address: F2F94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F94F second address: F2F959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7114E04BB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E2B4 second address: F2E2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA5C second address: F2FA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA62 second address: F2FA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA77 second address: F2FA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA7C second address: F2FA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04AC6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA96 second address: F2FA9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA9A second address: F2FAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jl 00007F7114E04AC0h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FAAE second address: F2FAD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F7114E04BC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F322A3 second address: F322AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F322AC second address: F322B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F322B2 second address: F322C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F7114E04AB6h 0x00000009 jo 00007F7114E04AB6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32590 second address: F325C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC4h 0x00000007 jns 00007F7114E04BC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7114E04BBAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32BB0 second address: F32BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32BB5 second address: F32BBA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3499C second address: F349B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04AC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F349B5 second address: F349C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F349C7 second address: F349D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F349D0 second address: F349D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34B07 second address: F34B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04AC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34B23 second address: F34B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34C81 second address: F34C87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35033 second address: F35037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F359FE second address: F35A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a je 00007F7114E04AB6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35A11 second address: F35A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35A17 second address: F35A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35B0A second address: F35B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35B0E second address: F35B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7114E04AC2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3600A second address: F3600F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F379D9 second address: F379ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7114E04AB6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F379ED second address: F379F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38EF4 second address: F38EFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38EFA second address: F38F64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F7114E04BB8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a sub dword ptr [ebp+122D2A2Eh], esi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F7114E04BB8h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38F64 second address: F38F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38F72 second address: F38F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7114E04BB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A65 second address: F39A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39A69 second address: F39ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jne 00007F7114E04BC1h 0x0000000e sub di, 227Dh 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F7114E04BB8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 add dword ptr [ebp+12454930h], edi 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jno 00007F7114E04BB8h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3981A second address: F3982A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7114E04AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3982A second address: F39835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AE81 second address: F3AE86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AE86 second address: F3AEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7114E04BB8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 jmp 00007F7114E04BBEh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F7114E04BB8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov edi, esi 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b pushad 0x0000004c push edx 0x0000004d pop edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AEEF second address: F3AEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED1AC second address: EED1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7114E04BB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED1B7 second address: EED200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7114E04ABDh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jg 00007F7114E04ADEh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40248 second address: F4026D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F7114E04BBCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4074C second address: F40751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40751 second address: F40766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7114E04BB6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40766 second address: F4077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04AC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4077F second address: F40783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F417AC second address: F417B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7114E04ABCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B6D4 second address: F3B6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F417B8 second address: F417DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7114E04AC9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B6D8 second address: F3B6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F417DB second address: F417E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B6DE second address: F3B6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F417E1 second address: F417EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7114E04AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F428E1 second address: F4295F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jnc 00007F7114E04BB6h 0x00000013 popad 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F7114E04BB8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov ebx, 42705476h 0x00000035 mov ebx, edi 0x00000037 push 00000000h 0x00000039 jne 00007F7114E04BBCh 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F7114E04BB8h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b add edi, dword ptr [ebp+122D3B62h] 0x00000061 xchg eax, esi 0x00000062 push ecx 0x00000063 push esi 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4590E second address: F45914 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4195E second address: F41962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F48DB1 second address: F48E39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e jc 00007F7114E04ABCh 0x00000014 mov dword ptr [ebp+12454CF0h], esi 0x0000001a mov dword ptr [ebp+122D2A5Bh], edx 0x00000020 popad 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F7114E04AB8h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d pushad 0x0000003e xor dword ptr [ebp+1244E351h], edx 0x00000044 call 00007F7114E04AC5h 0x00000049 mov di, 69AAh 0x0000004d pop eax 0x0000004e popad 0x0000004f mov bl, 4Ah 0x00000051 push 00000000h 0x00000053 or ebx, dword ptr [ebp+122D2A60h] 0x00000059 xchg eax, esi 0x0000005a jnl 00007F7114E04ABAh 0x00000060 push eax 0x00000061 pushad 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F49F7E second address: F49F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BDF6 second address: F4BE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7114E04AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BE01 second address: F4BE30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7114E04BBDh 0x00000012 jmp 00007F7114E04BBAh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BE30 second address: F4BE87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F7114E04AB8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov di, ax 0x00000027 push 00000000h 0x00000029 mov ebx, dword ptr [ebp+122D38AAh] 0x0000002f jno 00007F7114E04AB8h 0x00000035 push 00000000h 0x00000037 mov bl, C8h 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push esi 0x0000003c push eax 0x0000003d pop eax 0x0000003e pop esi 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BE87 second address: F4BE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CE36 second address: F4CE3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4DE4B second address: F4DE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4ED08 second address: F4ED12 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7114E04ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4ED12 second address: F4ED6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, A542h 0x0000000d push 00000000h 0x0000000f xor edi, dword ptr [ebp+122D38C2h] 0x00000015 sub edi, dword ptr [ebp+122D1C77h] 0x0000001b push 00000000h 0x0000001d add dword ptr [ebp+122D2CBEh], ebx 0x00000023 xchg eax, esi 0x00000024 jmp 00007F7114E04BC8h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F7114E04BC9h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4ED6A second address: F4ED74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7114E04AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A1DA second address: F4A1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F7114E04BB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4B12C second address: F4B13C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4FE4D second address: F4FEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007F7114E04BBAh 0x0000000f je 00007F7114E04BB6h 0x00000015 popad 0x00000016 pop ecx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F7114E04BB8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 jmp 00007F7114E04BBBh 0x00000037 push dword ptr fs:[00000000h] 0x0000003e and di, C1BEh 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov eax, dword ptr [ebp+122D0239h] 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F7114E04BB8h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 00000016h 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a mov dword ptr [ebp+122D2944h], esi 0x00000070 push FFFFFFFFh 0x00000072 mov ebx, dword ptr [ebp+122D397Ah] 0x00000078 nop 0x00000079 push ebx 0x0000007a push eax 0x0000007b push edx 0x0000007c je 00007F7114E04BB6h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57BA6 second address: F57BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57BAC second address: F57BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F7114E04BBFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F575E7 second address: F57600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04AC0h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57600 second address: F57606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57606 second address: F57626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7114E04AC2h 0x0000000d jp 00007F7114E04AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F57626 second address: F57643 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7114E04BB6h 0x00000008 jmp 00007F7114E04BBCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F635DD second address: F63602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jnl 00007F7114E04AB6h 0x0000000c jns 00007F7114E04AB6h 0x00000012 pop edx 0x00000013 pushad 0x00000014 jmp 00007F7114E04ABDh 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6AAD1 second address: F6AAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6AAD5 second address: F6AAD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6AAD9 second address: F6AADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6ACDB second address: F6ACDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6ACDF second address: F6AD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jno 00007F7114E04BC9h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F7114E04BBCh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7114E04BC5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6AD2A second address: F6AD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C092 second address: F6C096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C096 second address: F6C09F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C09F second address: F6C0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC9h 0x00000009 jg 00007F7114E04BB6h 0x0000000f popad 0x00000010 push esi 0x00000011 jno 00007F7114E04BB6h 0x00000017 jnc 00007F7114E04BB6h 0x0000001d pop esi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71613 second address: F71618 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70E2B second address: F70E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jno 00007F7114E04BB6h 0x0000000c jmp 00007F7114E04BBDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70E46 second address: F70E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70E4D second address: F70E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70E53 second address: F70E78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7114E04AC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70E78 second address: F70E91 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7114E04BB6h 0x00000008 jmp 00007F7114E04BBFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70FCD second address: F70FD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70FD1 second address: F70FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7119C second address: F711AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7666A second address: F7666E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7666E second address: F76674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F767ED second address: F767F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F767F7 second address: F767FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F76958 second address: F76969 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F7114E04BB6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F76969 second address: F7698B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7114E04AB6h 0x0000000a popad 0x0000000b jmp 00007F7114E04ABFh 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F7114E04AB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F76D1C second address: F76D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04BBBh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F76D2D second address: F76D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F76D31 second address: F76D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007F7114E04BB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77184 second address: F77191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F7114E04ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F773FF second address: F77405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F77405 second address: F7742A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F7114E04AC7h 0x0000000d pop edi 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7AB6F second address: F7AB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7AB77 second address: F7AB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F7114E04AB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7AB86 second address: F7AB90 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7114E04BB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7F143 second address: F7F154 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F7114E04AB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C0B1 second address: F3C0ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F7114E04BBDh 0x0000000c nop 0x0000000d mov dword ptr [ebp+1246DDFFh], eax 0x00000013 lea eax, dword ptr [ebp+12481E09h] 0x00000019 push edi 0x0000001a jmp 00007F7114E04BBEh 0x0000001f pop edi 0x00000020 mov dh, E8h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 push eax 0x00000029 pop eax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C0ED second address: F1D788 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jbe 00007F7114E04ABCh 0x00000012 mov edi, dword ptr [ebp+122D295Dh] 0x00000018 call dword ptr [ebp+122D2D78h] 0x0000001e push esi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C712 second address: F3C74B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0E0B5840h 0x00000010 sub cx, C05Fh 0x00000015 call 00007F7114E04BB9h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C74B second address: F3C750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C750 second address: F3C78D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7114E04BB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F7114E04BC8h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7114E04BC2h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C78D second address: F3C794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C794 second address: F3C7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push esi 0x0000000a jno 00007F7114E04BB8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7114E04BC7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C8A6 second address: F3C8AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C8AA second address: F3C8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C8B0 second address: F3C8B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C901 second address: F3C936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F7114E04BB6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F7114E04BB8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d js 00007F7114E04BB6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C936 second address: F3C93A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C93A second address: F3C950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7114E04BBDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CA04 second address: F3CA72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F7114E04AC3h 0x00000010 pop edi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 ja 00007F7114E04AD0h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7114E04AC5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CA72 second address: F3CA78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CCA0 second address: F3CCA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D331 second address: F3D37F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7114E04BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F7114E04BB8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jmp 00007F7114E04BBEh 0x0000002a lea eax, dword ptr [ebp+12481E4Dh] 0x00000030 and cl, FFFFFFD0h 0x00000033 nop 0x00000034 pushad 0x00000035 jp 00007F7114E04BB8h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D37F second address: F3D383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D383 second address: F3D412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 jmp 00007F7114E04BBDh 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F7114E04BB8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jbe 00007F7114E04BBCh 0x00000030 mov ecx, dword ptr [ebp+122D38C2h] 0x00000036 lea eax, dword ptr [ebp+12481E09h] 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F7114E04BB8h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 mov edx, dword ptr [ebp+122D1DECh] 0x0000005c nop 0x0000005d pushad 0x0000005e jmp 00007F7114E04BC1h 0x00000063 push ecx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D412 second address: F3D422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F7114E04AB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D422 second address: F1E2AC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7114E04BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F7114E04BB8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 add edx, 671EB5BFh 0x0000002c call dword ptr [ebp+122D27D1h] 0x00000032 pushad 0x00000033 jo 00007F7114E04BD0h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E2AC second address: F1E2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7114E04AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E2B8 second address: F1E2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E2C3 second address: F1E2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E5C5 second address: F7E5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E5C9 second address: F7E5E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F7114E04AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7114E04ABCh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E5E7 second address: F7E613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC4h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7114E04BC1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E613 second address: F7E62C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E62C second address: F7E632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E632 second address: F7E63C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7114E04ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E755 second address: F7E762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E762 second address: F7E77E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7114E04AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7114E04AB8h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jnl 00007F7114E04AB6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA37 second address: F7EA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7114E04BB6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F7114E04BB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA4E second address: F7EA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA52 second address: F7EA5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA5B second address: F7EA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA63 second address: F7EA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EBAF second address: F7EBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7114E04AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EBB9 second address: F7EBDC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7114E04BB6h 0x00000008 jmp 00007F7114E04BC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F849DF second address: F849E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F849E3 second address: F849E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A4B second address: F83A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F7114E04AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A5C second address: F83A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A60 second address: F83A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A66 second address: F83A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83D39 second address: F83D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7114E04AB6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84288 second address: F8429E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F7114E04BB6h 0x00000010 jng 00007F7114E04BB6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84417 second address: F8442D instructions: 0x00000000 rdtsc 0x00000002 je 00007F7114E04AB6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7114E04AB6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84849 second address: F8487D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7114E04BC8h 0x0000000b jmp 00007F7114E04BC4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83164 second address: F8316B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88543 second address: F88548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B62F second address: F8B633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B633 second address: F8B639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEDF second address: F8AEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AEE5 second address: F8AEE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B037 second address: F8B058 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F7114E04AC5h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F7114E04AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B058 second address: F8B062 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7114E04BB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B1FF second address: F8B209 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7114E04AC8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D9CA second address: F8D9D4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7114E04BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6A0 second address: F8D6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jne 00007F7114E04AB6h 0x00000010 jmp 00007F7114E04AC7h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6C9 second address: F8D6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F7114E04BBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6D6 second address: F8D6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6DA second address: F8D6EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BBAh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6EA second address: F8D6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D6F0 second address: F8D6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9110F second address: F91117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5867 second address: EF586D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF586D second address: EF5871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5871 second address: EF5898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7114E04BB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7114E04BBBh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jc 00007F7114E04BB6h 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F976DA second address: F976DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F976DE second address: F9772B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F7114E04BC2h 0x0000000d pushad 0x0000000e jmp 00007F7114E04BBEh 0x00000013 pushad 0x00000014 popad 0x00000015 jno 00007F7114E04BB6h 0x0000001b jmp 00007F7114E04BC1h 0x00000020 popad 0x00000021 pushad 0x00000022 jns 00007F7114E04BB6h 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97A0C second address: F97A2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97A2B second address: F97A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97B96 second address: F97BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F7114E04AC1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97EE4 second address: F97EEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97EEF second address: F97EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F98032 second address: F98068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BBAh 0x00000009 popad 0x0000000a pop edi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7114E04BC3h 0x00000013 jmp 00007F7114E04BC0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F98068 second address: F9806C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9B592 second address: F9B596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9B596 second address: F9B59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9B731 second address: F9B735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FB51 second address: F9FB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FB56 second address: F9FB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FB5C second address: F9FB60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F026 second address: F9F038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F038 second address: F9F04A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F7114E04AB6h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F04A second address: F9F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F04E second address: F9F060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04ABEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F060 second address: F9F0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007F7114E04BD3h 0x0000000e jmp 00007F7114E04BC7h 0x00000013 jns 00007F7114E04BB6h 0x00000019 jmp 00007F7114E04BC7h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F0A6 second address: F9F0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F0AA second address: F9F0AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F34F second address: F9F356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F356 second address: F9F35B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F35B second address: F9F368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F7114E04ABEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEB65E second address: EEB662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA4DF5 second address: FA4DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA4DFB second address: FA4E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F7114E04BC2h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5677 second address: FA569E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7114E04AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F7114E04AC7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6425 second address: FA6429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA66BD second address: FA66C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA699A second address: FA69A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7114E04BB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB41F second address: FAB451 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7114E04AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7114E04AC5h 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F7114E04ABEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB451 second address: FAB460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F7114E04BB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB460 second address: FAB464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAB464 second address: FAB46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA9E1 second address: FAAA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F7114E04AB6h 0x0000000c popad 0x0000000d jmp 00007F7114E04AC1h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAA05 second address: FAAA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAA09 second address: FAAA0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAE09 second address: FAAE26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F7114E04BC2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAFAA second address: FAAFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAFB0 second address: FAAFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB62C1 second address: FB62C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB62C6 second address: FB62CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB62CC second address: FB62D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB62D0 second address: FB6314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7114E04BC1h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7114E04BC9h 0x00000019 jnp 00007F7114E04BB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6314 second address: FB6318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6318 second address: FB6335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB68C5 second address: FB68D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB68D0 second address: FB68FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7114E04BB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jp 00007F7114E04BB6h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7114E04BC1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB68FB second address: FB691D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7114E04AC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F7114E04ABAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB76EE second address: FB76F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB76F4 second address: FB7702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F7114E04AC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7702 second address: FB770C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7114E04BB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB770C second address: FB7712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7712 second address: FB7718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FB0 second address: FB7FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FB4 second address: FB7FCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FCC second address: FB7FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB7FD2 second address: FB7FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5E68 second address: FB5E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF587 second address: FBF58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF58B second address: FBF5DA instructions: 0x00000000 rdtsc 0x00000002 je 00007F7114E04AB6h 0x00000008 jmp 00007F7114E04AC7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007F7114E04AB6h 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F7114E04AB6h 0x0000001e push eax 0x0000001f pop eax 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F7114E04ABDh 0x0000002b pop edx 0x0000002c push eax 0x0000002d je 00007F7114E04AB6h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF5DA second address: FBF5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC9782 second address: FC978F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F7114E04AB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD08F8 second address: FD08FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD08FC second address: FD0923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7114E04AC8h 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD0923 second address: FD094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC0h 0x00000009 popad 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jp 00007F7114E04BB6h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F7114E04BB6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD286E second address: FD2881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F7114E04ABDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2881 second address: FD2887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4144 second address: FD4148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4148 second address: FD415D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7114E04BC0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE83E5 second address: FE83F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE856B second address: FE8571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE86CD second address: FE86DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007F7114E04AB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE86DB second address: FE86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8962 second address: FE8989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7114E04AC6h 0x00000009 jmp 00007F7114E04ABDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8DBA second address: FE8DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7114E04BB6h 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7114E04BC3h 0x00000013 pushad 0x00000014 jc 00007F7114E04BB6h 0x0000001a jnl 00007F7114E04BB6h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8DEB second address: FE8DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE8DF1 second address: FE8DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC2DE second address: FEC2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7114E04AB6h 0x0000000a jmp 00007F7114E04ABBh 0x0000000f popad 0x00000010 pushad 0x00000011 jo 00007F7114E04ABEh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC2FF second address: FEC308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC308 second address: FEC312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC312 second address: FEC321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F7114E04BB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF389E second address: FF38C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04AC1h 0x00000007 push edi 0x00000008 jmp 00007F7114E04AC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006E55 second address: 1006E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7114E04BC3h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F7114E04BBEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006E83 second address: 1006E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F7114E04AC2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006E9E second address: 1006EA8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7114E04BB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008A4B second address: 1008A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008A53 second address: 1008A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jne 00007F7114E04BB6h 0x00000010 popad 0x00000011 push eax 0x00000012 jno 00007F7114E04BB6h 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008A72 second address: 1008A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F7114E04ABCh 0x0000000b jnp 00007F7114E04AB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008A83 second address: 1008A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C655 second address: 100C659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C659 second address: 100C677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04BC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F7114E04BCDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010406 second address: 101042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7114E04AC5h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007F7114E04AB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101055E second address: 1010575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7114E04BC2h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010575 second address: 101057B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010855 second address: 101085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10109BA second address: 10109BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10109BE second address: 10109CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10109CA second address: 10109CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013DC6 second address: 1013DED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7114E04BCDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013DED second address: 1013DF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101532C second address: 1015331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015331 second address: 1015337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3785E second address: F37864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D8DCB4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F2F8C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F2E1BB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F53A24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FC48FE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D92C8C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5250000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 7250000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0402C rdtsc 0_2_00F0402C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A639 sidt fword ptr [esp-02h]0_2_00F1A639
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1060Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F65D8D GetSystemInfo,VirtualAlloc,0_2_00F65D8D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0402C rdtsc 0_2_00F0402C
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5F4FC GetSystemTime,GetFileTime,0_2_00F5F4FC

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe37%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1558872
Start date and time:2024-11-19 22:13:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 13s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.491237591153825
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'766'848 bytes
MD5:333b260426a661dcadd5c016ab149ecb
SHA1:0f87cec4227cf24cdea86a82b632d45488875e77
SHA256:afcc403016c3fbbb10e732010bbc93854c1e1be63df48c91901acd7e05aa0e2c
SHA512:9e53484a98183723e63359ea714dea7b48d0ef43ae26a426fb0889dc1320b3b57f3876546ed4c49284cc79ab52f0b240954eb16b8be3ca392570d7010872b458
SSDEEP:49152:6jb3j1kXfkYRoRPxTUo+Fe59czFy0VuKxtTGMcq34r:6nj1kPkYRodxTUoWU9j0oKzTvY
TLSH:1BD539A2B905B2CFD88E1B78D567CE82591D43F90F1048D3AC6965BABD77CC122B7C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6aa000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F71147EB6CAh
movhps xmm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12009042a9870ab001288ae6cf5ae24e0405False0.9340277777777778data7.817006744565816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ihewwctv0xa0000x29e0000x29d600de15788134459d1b1279765bf1986090unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
macjzflx0x2a80000x20000x600726ff8ad0bcfd33e70ef1db500790585False0.5859375data5.048627593472186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2aa0000x40000x220056a245be1dd0e7954b79bd47ec706b21False0.08501838235294118DOS executable (COM)0.9949150590537634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:16:13:58
Start date:19/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xd80000
File size:2'766'848 bytes
MD5 hash:333B260426A661DCADD5C016AB149ECB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.9%
    Dynamic/Decrypted Code Coverage:4.6%
    Signature Coverage:1.5%
    Total number of Nodes:260
    Total number of Limit Nodes:14
    execution_graph 6910 d8e6db 6911 d8f2a6 6910->6911 6912 d8f508 VirtualAlloc 6911->6912 6913 d8f4d7 6911->6913 6912->6913 6914 f5d071 6921 f5b3af GetCurrentThreadId 6914->6921 6916 f5d09b 6919 f5d0cc GetModuleHandleExA 6916->6919 6920 f5d0a3 6916->6920 6919->6920 6922 f5b3c7 6921->6922 6923 f5b40e 6922->6923 6924 f5b3fd Sleep 6922->6924 6923->6916 6925 f5bac1 6923->6925 6924->6922 6926 f5bad2 6925->6926 6927 f5bb0f 6925->6927 6926->6927 6929 f5b962 6926->6929 6927->6916 6931 f5b98f 6929->6931 6930 f5ba95 6930->6926 6931->6930 6932 f5b9bd PathAddExtensionA 6931->6932 6933 f5b9d8 6931->6933 6932->6933 6938 f5b9fa 6933->6938 6941 f5b603 6933->6941 6935 f5ba43 6935->6930 6936 f5ba6c 6935->6936 6937 f5b603 lstrcmpiA 6935->6937 6936->6930 6940 f5b603 lstrcmpiA 6936->6940 6937->6936 6938->6930 6938->6935 6939 f5b603 lstrcmpiA 6938->6939 6939->6935 6940->6930 6942 f5b621 6941->6942 6943 f5b638 6942->6943 6945 f5b580 6942->6945 6943->6938 6946 f5b5ab 6945->6946 6947 f5b5dd lstrcmpiA 6946->6947 6948 f5b5f3 6946->6948 6947->6948 6948->6943 6949 50d1308 6950 50d1349 ImpersonateLoggedOnUser 6949->6950 6951 50d1376 6950->6951 6952 50d0d48 6953 50d0d93 OpenSCManagerW 6952->6953 6955 50d0ddc 6953->6955 6956 f5f97f 6958 f5f98b 6956->6958 6959 f5b3af 2 API calls 6958->6959 6960 f5f997 6959->6960 6962 f5f9b7 6960->6962 6963 f5f8d6 6960->6963 6965 f5f8e2 6963->6965 6966 f5f8f6 6965->6966 6967 f5b3af 2 API calls 6966->6967 6968 f5f90e 6967->6968 6976 f5bb13 6968->6976 6971 f5f939 6972 f5bac1 2 API calls 6973 f5f931 6972->6973 6973->6971 6974 f5f955 GetFileAttributesW 6973->6974 6975 f5f966 GetFileAttributesA 6973->6975 6974->6971 6975->6971 6977 f5bbc7 6976->6977 6978 f5bb27 6976->6978 6977->6971 6977->6972 6978->6977 6979 f5b962 2 API calls 6978->6979 6979->6978 6980 f5cf1e 6982 f5cf2a 6980->6982 6983 f5cf3e 6982->6983 6985 f5cf66 6983->6985 6986 f5cf7f 6983->6986 6988 f5cf88 6986->6988 6989 f5cf97 6988->6989 6990 f5b3af 2 API calls 6989->6990 6996 f5cf9f 6989->6996 6993 f5cfa9 6990->6993 6991 f5d050 GetModuleHandleA 6997 f5cfd7 6991->6997 6992 f5d042 GetModuleHandleW 6992->6997 6994 f5cfc4 6993->6994 6995 f5bac1 2 API calls 6993->6995 6994->6996 6994->6997 6995->6994 6996->6991 6996->6992 6998 f5fcf9 7000 f5fd02 6998->7000 7001 f5b3af 2 API calls 7000->7001 7002 f5fd0e 7001->7002 7003 f5fd5e ReadFile 7002->7003 7004 f5fd27 7002->7004 7003->7004 7005 f5cbe7 7008 f5ca27 7005->7008 7010 f5ca33 7008->7010 7011 f5ca48 7010->7011 7013 f5ca66 7011->7013 7014 f5ca75 7011->7014 7016 f5ca82 7014->7016 7017 f5ca98 7016->7017 7018 f5b3af 2 API calls 7017->7018 7027 f5caa0 7017->7027 7023 f5cac2 7018->7023 7019 f5cb80 7021 f5cb9e LoadLibraryExA 7019->7021 7022 f5cb8a LoadLibraryExW 7019->7022 7020 f5cb6d 7047 f5c8ad 7020->7047 7025 f5cb44 7021->7025 7022->7025 7026 f5bac1 2 API calls 7023->7026 7028 f5cad3 7026->7028 7027->7019 7027->7020 7028->7027 7029 f5cb01 7028->7029 7031 f5c3ed 7029->7031 7032 f5c409 7031->7032 7033 f5c413 7031->7033 7032->7025 7051 f5bc40 7033->7051 7040 f5c463 7041 f5c490 7040->7041 7046 f5c4c8 7040->7046 7061 f5be1e 7040->7061 7065 f5c0b9 7041->7065 7044 f5c49b 7044->7046 7070 f5c030 7044->7070 7046->7032 7074 f5cbff 7046->7074 7048 f5c8b8 7047->7048 7049 f5c8d9 LoadLibraryExA 7048->7049 7050 f5c8c8 7048->7050 7049->7050 7050->7025 7052 f5bc5c 7051->7052 7053 f5bcb5 7051->7053 7052->7053 7054 f5bc8c VirtualAlloc 7052->7054 7053->7032 7055 f5bce6 VirtualAlloc 7053->7055 7054->7053 7056 f5bd2b 7055->7056 7056->7046 7057 f5bd63 7056->7057 7060 f5bd8b 7057->7060 7058 f5be02 7058->7040 7059 f5bda4 VirtualAlloc 7059->7058 7059->7060 7060->7058 7060->7059 7062 f5be3e 7061->7062 7064 f5be39 7061->7064 7063 f5be71 lstrcmpiA 7062->7063 7062->7064 7063->7062 7063->7064 7064->7041 7066 f5c1c5 7065->7066 7068 f5c0e6 7065->7068 7066->7044 7068->7066 7076 f5bbcb 7068->7076 7084 f5ccdc 7068->7084 7072 f5c059 7070->7072 7071 f5c071 VirtualProtect 7071->7072 7073 f5c09a 7071->7073 7072->7071 7072->7073 7073->7046 7112 f5cc0b 7074->7112 7086 f5ca0e 7076->7086 7078 f5bc24 7078->7068 7079 f5bbde 7079->7078 7080 f5bc30 7079->7080 7082 f5bc07 7079->7082 7081 f5cbff 3 API calls 7080->7081 7081->7078 7082->7078 7083 f5cbff 3 API calls 7082->7083 7083->7078 7089 f5cce5 7084->7089 7087 f5ca75 16 API calls 7086->7087 7088 f5ca23 7087->7088 7088->7079 7090 f5ccf4 7089->7090 7092 f5b3af 2 API calls 7090->7092 7094 f5ccfc 7090->7094 7091 f5cd29 GetProcAddress 7097 f5cd1f 7091->7097 7093 f5cd06 7092->7093 7093->7094 7095 f5cd16 7093->7095 7094->7091 7098 f5c73d 7095->7098 7099 f5c829 7098->7099 7100 f5c75c 7098->7100 7099->7097 7100->7099 7101 f5c799 lstrcmpiA 7100->7101 7102 f5c7c3 7100->7102 7101->7100 7101->7102 7102->7099 7104 f5c686 7102->7104 7105 f5c697 7104->7105 7106 f5c6c7 lstrcpyn 7105->7106 7111 f5c722 7105->7111 7108 f5c6e3 7106->7108 7106->7111 7107 f5bbcb 15 API calls 7109 f5c711 7107->7109 7108->7107 7108->7111 7110 f5ccdc 15 API calls 7109->7110 7109->7111 7110->7111 7111->7099 7113 f5cc1a 7112->7113 7115 f5b3af 2 API calls 7113->7115 7118 f5cc22 7113->7118 7114 f5cc70 FreeLibrary 7120 f5cc57 7114->7120 7116 f5cc2c 7115->7116 7117 f5cc3c 7116->7117 7116->7118 7121 f5c5ed 7117->7121 7118->7114 7122 f5c610 7121->7122 7124 f5c650 7121->7124 7122->7124 7125 f5b1a9 7122->7125 7124->7120 7126 f5b1b2 7125->7126 7127 f5b1ca 7126->7127 7129 f5b190 7126->7129 7127->7124 7130 f5cbff GetCurrentThreadId Sleep FreeLibrary 7129->7130 7131 f5b19d 7130->7131 7131->7126 7132 f5fbe6 7134 f5fbf2 7132->7134 7135 f5b3af 2 API calls 7134->7135 7136 f5fbfe 7135->7136 7138 f5fc1e 7136->7138 7139 f5faf2 7136->7139 7141 f5fafe 7139->7141 7142 f5fb12 7141->7142 7143 f5b3af 2 API calls 7142->7143 7144 f5fb2a 7143->7144 7145 f5fb3f 7144->7145 7165 f5fa0b 7144->7165 7149 f5fb47 7145->7149 7157 f5fab0 IsBadWritePtr 7145->7157 7151 f5fb98 CreateFileW 7149->7151 7152 f5fbbb CreateFileA 7149->7152 7150 f5bac1 2 API calls 7153 f5fb7a 7150->7153 7156 f5fb88 7151->7156 7152->7156 7153->7149 7154 f5fb82 7153->7154 7159 f5d305 7154->7159 7158 f5fad2 7157->7158 7158->7149 7158->7150 7160 f5d312 7159->7160 7161 f5d34b CreateFileA 7160->7161 7164 f5d40d 7160->7164 7162 f5d397 7161->7162 7162->7164 7167 f5d1c8 CloseHandle 7162->7167 7164->7156 7169 f5fa1a GetWindowsDirectoryA 7165->7169 7168 f5d1dc 7167->7168 7168->7164 7170 f5fa44 7169->7170 7171 f5cbc6 7172 f5ca0e 16 API calls 7171->7172 7173 f5cbd9 7172->7173 7174 f03ee5 LoadLibraryA 7175 f03eed 7174->7175 7178 f65d8d GetSystemInfo 7179 f65dad 7178->7179 7180 f65deb VirtualAlloc 7178->7180 7179->7180 7181 f65e32 7180->7181 7182 f5dae9 7184 f5db00 7182->7184 7183 f5db69 CreateFileA 7186 f5dbae 7183->7186 7184->7183 7185 f5dbfd 7184->7185 7186->7185 7187 f5d1c8 CloseHandle 7186->7187 7187->7185 7190 50d1510 7191 50d1558 ControlService 7190->7191 7192 50d158f 7191->7192 7193 50d10f0 7194 50d1131 7193->7194 7197 f5e103 7194->7197 7195 50d1151 7198 f5b3af 2 API calls 7197->7198 7199 f5e10f 7198->7199 7200 f5e138 7199->7200 7201 f5e128 7199->7201 7203 f5e13d CloseHandle 7200->7203 7205 f5d1ef 7201->7205 7204 f5e12e 7203->7204 7204->7195 7208 f5b25a 7205->7208 7209 f5b270 7208->7209 7210 f5b28a 7209->7210 7212 f5b23e 7209->7212 7210->7204 7213 f5d1c8 CloseHandle 7212->7213 7214 f5b24e 7213->7214 7214->7210 7215 d8ea26 7216 d8f150 VirtualAlloc 7215->7216 7217 d8f500 7216->7217 7218 f5f46a 7219 f5b3af 2 API calls 7218->7219 7220 f5f476 GetCurrentProcess 7219->7220 7221 f5f4c2 7220->7221 7222 f5f486 7220->7222 7223 f5f4c7 DuplicateHandle 7221->7223 7222->7221 7224 f5f4b1 7222->7224 7226 f5f4bd 7223->7226 7227 f5d207 7224->7227 7230 f5d231 7227->7230 7228 f5d2c4 7228->7226 7229 f5d1ef CloseHandle 7229->7228 7230->7228 7230->7229

    Executed Functions

    Function 00F65D8D Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 135 f65d8d-f65da7 GetSystemInfo 136 f65dad-f65de5 135->136 137 f65deb-f65e34 VirtualAlloc 135->137 136->137 140 f65f1a call f65f23 137->140 141 f65e3a-f65e5e 137->141 144 f65f1f 140->144 141->140 147 f65e64-f65e88 141->147 146 f65f21-f65f22 144->146 147->140 149 f65e8e-f65eb2 147->149 149->140 151 f65eb8-f65ec5 149->151 152 f65eeb-f65f01 151->152 153 f65ecb-f65ee6 151->153 155 f65f07-f65f09 152->155 156 f65f15 153->156 155->140 157 f65f0f 155->157 156->146 157->156
    APIs
    • GetSystemInfo.KERNELBASE(?,-11545FEC), ref: 00F65D99
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00F65DFA
    Memory Dump Source
    • Source File: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: c3e7569bdf26332ce257e9e19839ba0dd868c2a118eded5ebd6b55975a0b6458
    • Instruction ID: b52de3397c12e712386921c15302cc44568b527908af59085f623b37f23e53ca
    • Opcode Fuzzy Hash: c3e7569bdf26332ce257e9e19839ba0dd868c2a118eded5ebd6b55975a0b6458
    • Instruction Fuzzy Hash: 314120B1D00606AEE725CF64CC55FA6B7ACFF58B50F0009A6E203DE492E67095D4C7A5
    Function 00F0402C Relevance: 1.6, APIs: 1, Instructions: 113libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 211 f0402c-f0402f LoadLibraryA 212 f04042-f040dc 211->212 220 f0408b-f04090 212->220 221 f040de-f041a2 212->221
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: d15a6c448bfb2668897079058e332578151146ca51b034dad2d8957df3b608bc
    • Instruction ID: 73aa837ff190a40cef7c3d97b78aa94d1357b56f61de433a494cb1d81936288d
    • Opcode Fuzzy Hash: d15a6c448bfb2668897079058e332578151146ca51b034dad2d8957df3b608bc
    • Instruction Fuzzy Hash: 773140F350C610AFE3116E09DC80AFAFBE8EF94761F12482EEBC593640D7355440AAA7
    Function 00F5CA82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00F5CB93
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00F5CBA7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: ce55787f5fd04fc94daa5341205c6fffc9e1ff6ef9179806ae23c2ebb9ad34f6
    • Instruction ID: 13452171ec7fe342d166dc5dcc5661da10b85635ed8ff71da2217e3363accc24
    • Opcode Fuzzy Hash: ce55787f5fd04fc94daa5341205c6fffc9e1ff6ef9179806ae23c2ebb9ad34f6
    • Instruction Fuzzy Hash: 28315432804209BFCF21AF60DD06AA97B75FF48362F104155FE0796162C73999A8FAE1
    Function 00F5CF88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 f5cf88-f5cf99 call f5c8ec 40 f5cfa4-f5cfad call f5b3af 37->40 41 f5cf9f 37->41 48 f5cfe1-f5cfe8 40->48 49 f5cfb3-f5cfbf call f5bac1 40->49 42 f5d038-f5d03c 41->42 44 f5d050-f5d053 GetModuleHandleA 42->44 45 f5d042-f5d04b GetModuleHandleW 42->45 47 f5d059 44->47 45->47 51 f5d063-f5d065 47->51 52 f5d033 call f5b45a 48->52 53 f5cfee-f5cff5 48->53 56 f5cfc4-f5cfc6 49->56 52->42 53->52 54 f5cffb-f5d002 53->54 54->52 57 f5d008-f5d00f 54->57 56->52 58 f5cfcc-f5cfd1 56->58 57->52 59 f5d015-f5d029 57->59 58->52 60 f5cfd7-f5d05e call f5b45a 58->60 59->52 60->51
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00F5CF1A,?,00000000,00000000), ref: 00F5D045
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00F5CF1A,?,00000000,00000000), ref: 00F5D053
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 922379c8758e605feb4757f80bd72a7f9818235c65220d763e5b8e88f6cd4361
    • Instruction ID: 4c193c91dea28b2d589b3cc53a0b723c6aff2258b4ff8663d1394b3f13bb1f44
    • Opcode Fuzzy Hash: 922379c8758e605feb4757f80bd72a7f9818235c65220d763e5b8e88f6cd4361
    • Instruction Fuzzy Hash: 20113C3150660AEEEB349F28C84C79976B4FF00357F104115BF06844D5C7B694EEFA92
    Function 00F5F8E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 f5f8e2-f5f8f0 65 f5f8f6-f5f8fd 64->65 66 f5f902 64->66 67 f5f909-f5f91f call f5b3af call f5bb13 65->67 66->67 72 f5f925-f5f933 call f5bac1 67->72 73 f5f93e 67->73 79 f5f939 72->79 80 f5f94a-f5f94f 72->80 75 f5f942-f5f945 73->75 76 f5f975-f5f97c call f5b45a 75->76 79->75 81 f5f955-f5f961 GetFileAttributesW 80->81 82 f5f966-f5f969 GetFileAttributesA 80->82 84 f5f96f-f5f970 81->84 82->84 84->76
    APIs
    • GetFileAttributesW.KERNELBASE(013601D4,-11545FEC), ref: 00F5F95B
    • GetFileAttributesA.KERNEL32(00000000,-11545FEC), ref: 00F5F969
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: aeebd93d16ce50dbfc89370e46d15ab1b85add1997ba2ef2fdf2a82dc8b4f88d
    • Instruction ID: 4318b5f15a3c91994d2dc72aa3b23b9083dae7c6da1b63505343a4daa99b1c1e
    • Opcode Fuzzy Hash: aeebd93d16ce50dbfc89370e46d15ab1b85add1997ba2ef2fdf2a82dc8b4f88d
    • Instruction Fuzzy Hash: 8E018C31904A09FADB219F64CE0D79CBE70BF4039AF2080B4EF0669091D7B49A9DF680
    Function 00F03EE5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 f03ee5-f03ee7 LoadLibraryA 86 f03f03-f04024 85->86 87 f03eed-f03f02 85->87 87->86
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: |9_?
    • API String ID: 1029625771-2689757825
    • Opcode ID: ac9fa8d8bb3373c0e34b68bcc836dae93b59ebde16a314ab544b164070023cba
    • Instruction ID: 17aff8ff5d027d6b7d0be9c4884b06b5b66eb44a47f75c80758bfea93e202566
    • Opcode Fuzzy Hash: ac9fa8d8bb3373c0e34b68bcc836dae93b59ebde16a314ab544b164070023cba
    • Instruction Fuzzy Hash: EC3104B290C710EFD705AF09D881A6AFBE8EF58720F02482DE6C897210D7754890DB87
    Function 00F5B962 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 89 f5b962-f5b992 91 f5babd-f5babe 89->91 92 f5b998-f5b9ad 89->92 92->91 94 f5b9b3-f5b9b7 92->94 95 f5b9bd-f5b9cf PathAddExtensionA 94->95 96 f5b9d9-f5b9e0 94->96 99 f5b9d8 95->99 97 f5b9e6-f5b9f5 call f5b603 96->97 98 f5ba02-f5ba09 96->98 103 f5b9fa-f5b9fc 97->103 101 f5ba0f-f5ba16 98->101 102 f5ba4b-f5ba52 98->102 99->96 104 f5ba1c-f5ba25 101->104 105 f5ba2f-f5ba3e call f5b603 101->105 106 f5ba74-f5ba7b 102->106 107 f5ba58-f5ba6e call f5b603 102->107 103->91 103->98 104->105 111 f5ba2b 104->111 116 f5ba43-f5ba45 105->116 109 f5ba81-f5ba97 call f5b603 106->109 110 f5ba9d-f5baa4 106->110 107->91 107->106 109->91 109->110 110->91 115 f5baaa-f5bab7 call f5b63c 110->115 111->105 115->91 116->91 116->102
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00F5B9C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 624628676c8219515d1452a89bac56c18523f132b19a01c5e687c6517cdc31a0
    • Instruction ID: 3a4f889ea6cffd140235b447c48fabfad662c54452ba99ef199fb33a99ca2816
    • Opcode Fuzzy Hash: 624628676c8219515d1452a89bac56c18523f132b19a01c5e687c6517cdc31a0
    • Instruction Fuzzy Hash: 24313735A00609BEDF21DF94CC1AB9EBB76BF08756F001050FE01A5061D73A9AA9EF50
    Function 00F5D071 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 120 f5d071-f5d084 call f5b3af 123 f5d0c7-f5d0db call f5b45a GetModuleHandleExA 120->123 124 f5d08a-f5d096 call f5bac1 120->124 130 f5d0e5-f5d0e7 123->130 128 f5d09b-f5d09d 124->128 128->123 129 f5d0a3-f5d0aa 128->129 131 f5d0b0 129->131 132 f5d0b3-f5d0e0 call f5b45a 129->132 131->132 132->130
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00F5D0D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 1fdf7dadffbe573b72b61c23fc7cd01f246bb5a8576ed8124aadfd97d1f5de3a
    • Instruction ID: c001be8ce37ff2a02a331544b61d9feb54556a61cfe3d13941d1b79dc9b8dcbb
    • Opcode Fuzzy Hash: 1fdf7dadffbe573b72b61c23fc7cd01f246bb5a8576ed8124aadfd97d1f5de3a
    • Instruction Fuzzy Hash: F7F03A72205204EFEF20DF64C849BAA7BB4FF54352F20C015FF068A19AD735D4A9BA61
    Function 00F5FAFE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 158 f5fafe-f5fb0c 159 f5fb12-f5fb19 158->159 160 f5fb1e 158->160 161 f5fb25-f5fb31 call f5b3af 159->161 160->161 164 f5fb37-f5fb41 call f5fa0b 161->164 165 f5fb4c-f5fb5c call f5fab0 161->165 164->165 170 f5fb47 164->170 171 f5fb62-f5fb69 165->171 172 f5fb6e-f5fb7c call f5bac1 165->172 173 f5fb8d-f5fb92 170->173 171->173 172->173 179 f5fb82-f5fb83 call f5d305 172->179 175 f5fb98-f5fbb6 CreateFileW 173->175 176 f5fbbb-f5fbd0 CreateFileA 173->176 178 f5fbd6-f5fbd7 175->178 176->178 180 f5fbdc-f5fbe3 call f5b45a 178->180 183 f5fb88 179->183 183->180
    APIs
    • CreateFileW.KERNELBASE(013601D4,?,?,-11545FEC,?,?,?,-11545FEC,?), ref: 00F5FBB0
      • Part of subcall function 00F5FAB0: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F5FABE
    • CreateFileA.KERNEL32(?,?,?,-11545FEC,?,?,?,-11545FEC,?), ref: 00F5FBD0
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: c59cce56082b4a8660b1846ac8d0f96ffc5988e20ed4cb3f3a971dd80257e253
    • Instruction ID: 65a6324cc6c3a6dc93743403d1903c502ccba1ed804246d5d460f3f00fc63d60
    • Opcode Fuzzy Hash: c59cce56082b4a8660b1846ac8d0f96ffc5988e20ed4cb3f3a971dd80257e253
    • Instruction Fuzzy Hash: C7112C3250010AFADF229F90CD19F9D7E32BF88356F148165BF0694061C77685ADFB41
    Function 00F5F46A Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 185 f5f46a-f5f480 call f5b3af GetCurrentProcess 188 f5f486-f5f489 185->188 189 f5f4c2-f5f4e4 call f5b45a DuplicateHandle 185->189 188->189 191 f5f48f-f5f492 188->191 194 f5f4ee-f5f4f0 189->194 191->189 193 f5f498-f5f4ab call f5b209 191->193 193->189 197 f5f4b1-f5f4e9 call f5d207 call f5b45a 193->197 197->194
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    • GetCurrentProcess.KERNEL32(-11545FEC), ref: 00F5F477
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5F4DD
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 8dd7b413479f95bd1d2325ae489ea6871e9ef73667fc8de25151ddc8a976b71f
    • Instruction ID: e9c77072654956dc25088837749d9e5c9794aa6ed02cb3d3dd7a2530efdd8344
    • Opcode Fuzzy Hash: 8dd7b413479f95bd1d2325ae489ea6871e9ef73667fc8de25151ddc8a976b71f
    • Instruction Fuzzy Hash: 7D01F63260040ABBCF22AFA8DC08D9F3B75BF98366B048122FF0695051C739C569FB61
    Function 00F5B3AF Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 202 f5b3af-f5b3c5 GetCurrentThreadId 203 f5b3c7-f5b3d3 202->203 204 f5b40e-f5b41b 203->204 205 f5b3d9-f5b3db 203->205 205->204 206 f5b3e1-f5b3e8 205->206 208 f5b3fd-f5b409 Sleep 206->208 209 f5b3ee-f5b3f5 206->209 208->203 209->208 210 f5b3fb 209->210 210->208
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 856e88d5299d55be1a1ccc27f3f128bc363245ffc3e3f27b5b70ae7cf31fc1e5
    • Instruction ID: 9dd5631ba2297c33d35b4d9ef8fc851237e09b37a4ffa47c77e61105b2e1a8cd
    • Opcode Fuzzy Hash: 856e88d5299d55be1a1ccc27f3f128bc363245ffc3e3f27b5b70ae7cf31fc1e5
    • Instruction Fuzzy Hash: EBF0593150110AEBC721DF61C94935FB7B4FF0032BF20403ADA02A6451CB755C8AFAC1
    Function 00F5DAE9 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 222 f5dae9-f5dafa 223 f5db00-f5db14 call f5b48d 222->223 224 f5db29-f5db32 call f5b48d 222->224 235 f5dc17 223->235 236 f5db1a-f5db28 223->236 228 f5dc0f-f5dc12 call f5b4b2 224->228 229 f5db38-f5db49 call f5d2cb 224->229 228->235 237 f5db4f-f5db53 229->237 238 f5db69-f5dba8 CreateFileA 229->238 239 f5dc1e-f5dc22 235->239 236->224 240 f5db66 237->240 241 f5db59-f5db65 237->241 242 f5dbcc-f5dbcf 238->242 243 f5dbae-f5dbcb 238->243 240->238 241->240 245 f5dbd5-f5dbec call f5b1cf 242->245 246 f5dc02-f5dc0a call f5d15a 242->246 243->242 245->239 253 f5dbf2-f5dbfd call f5d1c8 245->253 246->235 253->235
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00F5DB9E
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 2b363fa74671fc619e87a3ff57c293566f51cd2b09ffd3ce8d972b13865c8a65
    • Instruction ID: 8d0dff0625a9ad2dbecbc3ae081ef616d509c548267d9b9e4c3e3d5e92811396
    • Opcode Fuzzy Hash: 2b363fa74671fc619e87a3ff57c293566f51cd2b09ffd3ce8d972b13865c8a65
    • Instruction Fuzzy Hash: 19319E71900204FEEB30DF64DC49F9EBBB8FF44325F208169FA05AA191C7759A99EB10
    Function 00F5D305 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 f5d305-f5d314 call f5b48d 259 f5d41a 256->259 260 f5d31a-f5d32b call f5d2cb 256->260 262 f5d421-f5d425 259->262 264 f5d331-f5d335 260->264 265 f5d34b-f5d391 CreateFileA 260->265 266 f5d348 264->266 267 f5d33b-f5d347 264->267 268 f5d397-f5d3b8 265->268 269 f5d3dc-f5d3df 265->269 266->265 267->266 268->269 277 f5d3be-f5d3db 268->277 270 f5d3e5-f5d3fc call f5b1cf 269->270 271 f5d412-f5d415 call f5d15a 269->271 270->262 278 f5d402-f5d40d call f5d1c8 270->278 271->259 277->269 278->259
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00F5D387
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ce6a7ff304927915400b6cce129c92f80e3e9b3d0e47480c7f9740d22efabbe1
    • Instruction ID: 5be136aaf51264f93c58181b9a500a6b439cc72d0249b4645b27d4f535c092ff
    • Opcode Fuzzy Hash: ce6a7ff304927915400b6cce129c92f80e3e9b3d0e47480c7f9740d22efabbe1
    • Instruction Fuzzy Hash: 8B31E171A00204BAEB30DF64DC46F8977B8FF04729F208225FB15EA0D1C7B6A5869B14
    Function 050D0D41 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 282 50d0d41-50d0d97 284 50d0d9f-50d0da3 282->284 285 50d0d99-50d0d9c 282->285 286 50d0dab-50d0dda OpenSCManagerW 284->286 287 50d0da5-50d0da8 284->287 285->284 288 50d0ddc-50d0de2 286->288 289 50d0de3-50d0df7 286->289 287->286 288->289
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 050D0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 7a4ea619f1b555c03c209c6cd4ab57a55bfc9a012364df2c2e7b6a3559663e67
    • Instruction ID: 1c03066e9408862b72c4c1918a17d6728221cd0ed9c3cd27314906a32d2bfabb
    • Opcode Fuzzy Hash: 7a4ea619f1b555c03c209c6cd4ab57a55bfc9a012364df2c2e7b6a3559663e67
    • Instruction Fuzzy Hash: 352134B6D016199FCB50CF99E884ADEFBF0FF88720F14861AD909AB204D774A541CBA4
    Function 050D0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 291 50d0d48-50d0d97 293 50d0d9f-50d0da3 291->293 294 50d0d99-50d0d9c 291->294 295 50d0dab-50d0dda OpenSCManagerW 293->295 296 50d0da5-50d0da8 293->296 294->293 297 50d0ddc-50d0de2 295->297 298 50d0de3-50d0df7 295->298 296->295 297->298
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 050D0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 0aa039bf7339f2bf8152b35f5a5fd6d3531d5b1d70657cf989f0f344a1c67446
    • Instruction ID: 491908f1326dc31c09174f4cca9020fa1cb4c242fee958d50d349ee2820f804f
    • Opcode Fuzzy Hash: 0aa039bf7339f2bf8152b35f5a5fd6d3531d5b1d70657cf989f0f344a1c67446
    • Instruction Fuzzy Hash: AF2104B68057199FCB50CF99E884ADEFBF4FB88720F14851AD909AB204D774A540CBA4
    Function 050D1509 Relevance: 1.6, APIs: 1, Instructions: 55serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 050D1580
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d610a04c434b7b4bc75b57b2096b1c436c2582b38a0e4b25a5b8944113d32f26
    • Instruction ID: 4061d96cab6f21e80222862383d87e8d61f5ec740995736acd3a06ca3778e11a
    • Opcode Fuzzy Hash: d610a04c434b7b4bc75b57b2096b1c436c2582b38a0e4b25a5b8944113d32f26
    • Instruction Fuzzy Hash: CA21D3B2904349DFDB10CF9AD584BDEFBF4EB48320F108429E559A7250D778A644CFA5
    Function 050D1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 050D1580
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 528d39f7ea92a345b9cd7cc0d97f83b6e49bdbc2aa39e5c086a080b9b16494a6
    • Instruction ID: efe7e336ecdb8b9acb2f4752cde4573b56b36178f080a2f474672c326dfb25fd
    • Opcode Fuzzy Hash: 528d39f7ea92a345b9cd7cc0d97f83b6e49bdbc2aa39e5c086a080b9b16494a6
    • Instruction Fuzzy Hash: 0811D3B2904349DFDB10CF9AD584BDEFBF4AB48320F108429E559A3250D778A644CFA5
    Function 050D1301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 050D1367
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 10dbf9dd300d20ec542025fc658c2e70277c5f6f5dcca4cfd33b5bd6aef4835c
    • Instruction ID: 7139345f35b403c31b9777fd46620c31a76de5cb730c90598f9739333140057f
    • Opcode Fuzzy Hash: 10dbf9dd300d20ec542025fc658c2e70277c5f6f5dcca4cfd33b5bd6aef4835c
    • Instruction Fuzzy Hash: 141134B2800249CFDB10CF9AD544BDEFBF4EF48220F108429D918A3640C778A945CBA0
    Function 050D1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 050D1367
    Memory Dump Source
    • Source File: 00000000.00000002.2267845297.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_50d0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 6df0f45f55f67487100fe1bce54932d75440c996141df8f74c1294a66010531b
    • Instruction ID: a92ca849084c350ea55d58c84dd4fb2950f228080826b210b85638beab6e5ae9
    • Opcode Fuzzy Hash: 6df0f45f55f67487100fe1bce54932d75440c996141df8f74c1294a66010531b
    • Instruction Fuzzy Hash: 531125B1800349CFDB10CF9AD545BDEFBF4AB48320F20842AD518A3250D778A544CFA5
    Function 00F5FD02 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    • ReadFile.KERNELBASE(?,00000400,?,?,00F5DA31,-11545FEC,?,?,00F5DA31,?,?,00000400,?,00000000), ref: 00F5FD6E
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: 655a4d3281ba114a8f88b9dfba5fabca254b01a7f73ccc95687fd7c6b8575a89
    • Instruction ID: d843d86c7068d3eb25efe8517bd806e4071f3ced8af77e21204e2f72cdb1ea48
    • Opcode Fuzzy Hash: 655a4d3281ba114a8f88b9dfba5fabca254b01a7f73ccc95687fd7c6b8575a89
    • Instruction Fuzzy Hash: 9EF0B632104549EACF129FA8DC05E9A3B76BF54352B008061BF165A065C736C469FB61
    Function 00F12BC9 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 9579415ed8db6d8e12b1ae320d61b74a3f02c0b3a34ad1473a04f4a595605fa8
    • Instruction ID: e0f4072e227da29737acb61bf554df0a03bd2f2b70b62fffeb529cbb7ff2a344
    • Opcode Fuzzy Hash: 9579415ed8db6d8e12b1ae320d61b74a3f02c0b3a34ad1473a04f4a595605fa8
    • Instruction Fuzzy Hash: 95D012B3A0DA04DAE3045E6995047FEB7A5EBD5B62F34C43FE14A82114E1B54C827726
    Function 00D8E6DB Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00D8F508
    Memory Dump Source
    • Source File: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 02e1c3806ae364bcdb09f03ad5951ab20295b44de786627f04f56d9abbfb13dc
    • Instruction ID: b224afb95dfbe191649dece291e9d5d4b49f880563e31b6fa78fb75612368fc9
    • Opcode Fuzzy Hash: 02e1c3806ae364bcdb09f03ad5951ab20295b44de786627f04f56d9abbfb13dc
    • Instruction Fuzzy Hash: 6D119EB290C209DBC3442F38984867EB7E4EF54720F6546ADB4D586681E63098809B26
    Function 00F5B580 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: cbc833412da24dd2dcb92d5c4bda30447508e911fa573726672164f0c65480ee
    • Instruction ID: 416b4e057df4bc6e2e6442384e63ec2baa6cf87e172a5a8a0d188b2640d80bff
    • Opcode Fuzzy Hash: cbc833412da24dd2dcb92d5c4bda30447508e911fa573726672164f0c65480ee
    • Instruction Fuzzy Hash: E601FB76A0054ABFCF119FA9CC04EDEBF76EF44742F041165FA01A5464EB328665EFA0
    Function 00F5E103 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    • CloseHandle.KERNELBASE(00F5DAC6,-11545FEC,?,?,00F5DAC6,?), ref: 00F5E141
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: fdb7e029527fa9b0118d50c57724f06fccb69237499ab00ff0df8620634f044f
    • Instruction ID: 0badc4e2f51c6867064cf27f89846d030f5ced07e0074871c1149db3c03c304e
    • Opcode Fuzzy Hash: fdb7e029527fa9b0118d50c57724f06fccb69237499ab00ff0df8620634f044f
    • Instruction Fuzzy Hash: 77E04F73204805A9DE207F78DC0AE4E3E69AFE0797B108122BF0699052DB38C29DF620
    Function 00D8EA26 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00D8F150
    Memory Dump Source
    • Source File: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 77193786014e1c2adb55fb4cfc67f20f7b00dc8232772cb3dc2aca2a6e1065eb
    • Instruction ID: 70e58baca36a3960caaed4a558cc941821338ecb9f40563e667d43c692d6762c
    • Opcode Fuzzy Hash: 77193786014e1c2adb55fb4cfc67f20f7b00dc8232772cb3dc2aca2a6e1065eb
    • Instruction Fuzzy Hash: CAD012B0408205CBDB003F74D10537D39A0FB04300F200539DAC289684F13248A4E767
    Function 00F5D1C8 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00F5B24E,?,?), ref: 00F5D1CE
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 3ba90572031b9ee5e4710b14abd26f8397ec291b5a3ba748f99a8181af17fd9c
    • Instruction ID: b1ad0b87bfe9c5d9adc7af586898105719392ce268e08add91b725ecc0b62c28
    • Opcode Fuzzy Hash: 3ba90572031b9ee5e4710b14abd26f8397ec291b5a3ba748f99a8181af17fd9c
    • Instruction Fuzzy Hash: 4AB0923200150CBBCB11BF55DC0684EBFA9BF55799B008120BE0A45131CB7AE9A4EB94

    Non-executed Functions

    Function 00F5F4FC Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
    • GetSystemTime.KERNEL32(?,-11545FEC), ref: 00F5F531
    • GetFileTime.KERNEL32(?,?,?,?,-11545FEC), ref: 00F5F574
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 718e6eee8b4607c4cad9dae0e2e785bd432009434e94a3eef991f80f02959861
    • Instruction ID: 580f8edb3d243eb93327729e9ddf0f7e836da04184eeb5759d2f5e48421caa73
    • Opcode Fuzzy Hash: 718e6eee8b4607c4cad9dae0e2e785bd432009434e94a3eef991f80f02959861
    • Instruction Fuzzy Hash: 2301E832600486FBCB229F59DD08E8E7F75FFD5712F148122FA0295461E735C4A9EB60
    Function 00D95AAE Relevance: .2, Instructions: 222COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 767ba9afc8d8b6462089c95770340bfd208d70add908998570ff7ed2f32dcae5
    • Instruction ID: 05b48eed1ec993bdbb4d7f864e54e465b9f2e9b9507726e6133409eee3b23f56
    • Opcode Fuzzy Hash: 767ba9afc8d8b6462089c95770340bfd208d70add908998570ff7ed2f32dcae5
    • Instruction Fuzzy Hash: 527146B3F226254BF3544E29CC583A17693AB95320F2F42788E886B3C5D97F6D4A5384
    Function 00F0433F Relevance: .2, Instructions: 156COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 675f6a7be5b5147ce233f3e53919271b0b57c6b9acf1af54fafc43a5afc40064
    • Instruction ID: 0702d319da7129e804d1c9643b009c7d252edd038d25983c47f2519c8cd59ae9
    • Opcode Fuzzy Hash: 675f6a7be5b5147ce233f3e53919271b0b57c6b9acf1af54fafc43a5afc40064
    • Instruction Fuzzy Hash: 0D4187F350C301AFE309AE15ED919BBF7E9FB84720F21492EFAC5C2640D67158419666
    Function 00F04351 Relevance: .2, Instructions: 155COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 901a661e0d7633324340a5edc28e309c198fd2fafaf228f516c6b05dcfa35cf6
    • Instruction ID: eac0db80ea0ee79b588640fa834d33b449c56c251afef7a91daf8d6159fae115
    • Opcode Fuzzy Hash: 901a661e0d7633324340a5edc28e309c198fd2fafaf228f516c6b05dcfa35cf6
    • Instruction Fuzzy Hash: D34194B350C300AFE309EE59EC919BAF7E9FF85320F21492EEAC5C6241D63158419B66
    Function 00F0437E Relevance: .1, Instructions: 142COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a42810dd4c46e4f669259bb2245e91186246d7f88db08a773b7c95a971ef8d89
    • Instruction ID: c5b371c9f26613f860201eb262a3c2cf7d57dedacc563bad135809bdcfbd1c5e
    • Opcode Fuzzy Hash: a42810dd4c46e4f669259bb2245e91186246d7f88db08a773b7c95a971ef8d89
    • Instruction Fuzzy Hash: B84165B351C200AFE319EE19EC915BAF7E5FF94720F11492DEAC5C3650D63158418766
    Function 00F04A99 Relevance: .1, Instructions: 114COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 87faf3e7ec252dda1e2f3d90ff01b7a0992fb1db3f4c766a6baad74e5f104f2d
    • Instruction ID: e0075f4c476b014cf07e1fcc3e687e7640286e5f770caafeb29822af917ff053
    • Opcode Fuzzy Hash: 87faf3e7ec252dda1e2f3d90ff01b7a0992fb1db3f4c766a6baad74e5f104f2d
    • Instruction Fuzzy Hash: A54138B250C600EFD715AF29D88666EFBE4FFA9710F06882DD2C593220E7349491CB97
    Function 00F04A8C Relevance: .1, Instructions: 106COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 38a0dd316f65b1deb780caf97c0fd83086f836f9da46e306efdcb9fe9a10c6cb
    • Instruction ID: 5b6b214ace097cc7e51a55d00fd02b1a53015ed81327f36a979fde3115cfe240
    • Opcode Fuzzy Hash: 38a0dd316f65b1deb780caf97c0fd83086f836f9da46e306efdcb9fe9a10c6cb
    • Instruction Fuzzy Hash: 2D4125B250C600DFD715BF18D88666EFBE4EF98710F06882DD2C583610E7349481CB97
    Function 00F04C27 Relevance: .1, Instructions: 101COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0ce76838da534899cbd7863afa3f786abd22bce878f4f467e49fe976028d0a5d
    • Instruction ID: a88d1ad356e6c09345bf74139c6d5f94808d4bb0745b4da34ce36b8e81dc7a9c
    • Opcode Fuzzy Hash: 0ce76838da534899cbd7863afa3f786abd22bce878f4f467e49fe976028d0a5d
    • Instruction Fuzzy Hash: 64318FB250C2009FE746AF29DC817BABBE2EF84310F06892DE6C4C7654E7359845CB87
    Function 00F1A639 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 18da276142d9f4b4157e53a7c7d3a7d8409445b51a101f6e41901a9c1bc041dc
    • Instruction ID: fce57e6cbd1f6062fccc33c24c3f0d2f20386948b17f95db7bb4912cedd03a13
    • Opcode Fuzzy Hash: 18da276142d9f4b4157e53a7c7d3a7d8409445b51a101f6e41901a9c1bc041dc
    • Instruction Fuzzy Hash: C0E086360141019EC7009F54C85699FFBF4FF19320F658845E484C7322C3354D41CB2A
    Function 00F5EA32 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F5B3AF: GetCurrentThreadId.KERNEL32 ref: 00F5B3BE
      • Part of subcall function 00F5B3AF: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F5B401
      • Part of subcall function 00F5FAB0: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F5FABE
    • wsprintfA.USER32 ref: 00F5EA78
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00F5EB3C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: f1b8455bbe77ee9c2e6f80718af948aac8792a28312ad74f0553818dbcc6d683
    • Instruction ID: 2d8f00f4c14385a3abc087fb9a947a2130d84feb6ffee061d061ea68644d9aaf
    • Opcode Fuzzy Hash: f1b8455bbe77ee9c2e6f80718af948aac8792a28312ad74f0553818dbcc6d683
    • Instruction Fuzzy Hash: 0231283290010AFBDF11DF94DC09EEEBBB5FF84711F108125FA16A61A1C7359A65EB50
    Function 00F5F603 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(013601D4,00004020,00000000,-11545FEC), ref: 00F5F6F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2264154269.0000000000F51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
    • Associated: 00000000.00000002.2263326071.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263346305.0000000000D82000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377920.0000000000D86000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263406654.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263432358.0000000000D96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263821957.0000000000EE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263849459.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263880109.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263905804.0000000000F02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263931188.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263981749.0000000000F25000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264003011.0000000000F26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264035504.0000000000F3C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264059150.0000000000F3D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264082874.0000000000F3E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264105522.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264130895.0000000000F48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264177351.0000000000F60000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264203553.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264226559.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264252259.0000000000F65000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264278696.0000000000F66000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264302497.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264328347.0000000000F7A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264351651.0000000000F7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264373817.0000000000F7C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264396532.0000000000F7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264422384.0000000000F80000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264448995.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264472153.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264496981.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264523457.0000000000F9A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264556999.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264580607.0000000000F9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264603050.0000000000FA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264620668.0000000000FA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264645528.0000000000FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264676345.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264698500.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264722144.0000000000FC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264745645.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264776470.0000000000FD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264798225.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264832900.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264855145.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264878352.0000000001019000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264932449.0000000001028000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2264952953.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d80000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 6044d2fef00759bfd85c2b4648e68e2fa79a49c282d1a37bf2d3c954ce75df86
    • Instruction ID: 4b511abc5b3841fd74367f94ce2d7c915d9b124bba6c722a21b0a55a2b686d7a
    • Opcode Fuzzy Hash: 6044d2fef00759bfd85c2b4648e68e2fa79a49c282d1a37bf2d3c954ce75df86
    • Instruction Fuzzy Hash: 2A319CB1904705EFDB248F54D844B8ABBB0FF08315F108569EA56A7260C3B5A6ADEF80