Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559008
MD5:8016e5d93e55bb0356c789bb6ba0bdbe
SHA1:d22bb6723ea29ff986bdbcda2943b6f77f9121e6
SHA256:683609cf5dad7e5a984bf4ebab65c2fa2a6d59724507b7c5e9d240932f2994a4
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8016E5D93E55BB0356C789BB6BA0BDBE)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2194395926.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E1280_2_0047E128
Source: file.exe, 00000000.00000002.2329305190.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2187199622.0000000000476000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2847744 > 1048576
Source: file.exeStatic PE information: Raw size of jwaseymg is bigger than: 0x100000 < 0x2b1400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2194395926.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.470000.0.unpack :EW;.rsrc:W;.idata :W;jwaseymg:EW;reksrrmv:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2c251f should be: 0x2c6e14
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: jwaseymg
Source: file.exeStatic PE information: section name: reksrrmv
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E7FF push esi; mov dword ptr [esp], edx0_2_0047EC78
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E7FF push ebx; mov dword ptr [esp], eax0_2_0047EE52
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E7FF push edx; mov dword ptr [esp], 050C7F1Fh0_2_0047EE56
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E7FF push esi; mov dword ptr [esp], ebp0_2_0047F419
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 push ebx; mov dword ptr [esp], 7FEFE766h0_2_005FDBA3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 push edi; mov dword ptr [esp], 5BFF7E1Dh0_2_005FDBCA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 push ebp; mov dword ptr [esp], esi0_2_005FDBD9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 push eax; mov dword ptr [esp], 7F6DFD1Dh0_2_005FDBF5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDCCE push edi; mov dword ptr [esp], 6BFFDA01h0_2_005FDCF5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDCCE push eax; mov dword ptr [esp], 0B5201A8h0_2_005FDD1F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060AD07 push eax; mov dword ptr [esp], esi0_2_0060B4A8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060D06B push eax; mov dword ptr [esp], edi0_2_0060D07C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048106C push edi; mov dword ptr [esp], 7ABF3CA7h0_2_004824AD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071805C push edi; mov dword ptr [esp], eax0_2_0071809D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00611052 push eax; mov dword ptr [esp], edi0_2_00611053
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048307E push edi; mov dword ptr [esp], 00000000h0_2_0048307F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060905A push edi; mov dword ptr [esp], eax0_2_0060905C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060905A push esi; mov dword ptr [esp], 3DC13DD4h0_2_00609063
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047C039 push 22A00B2Ah; mov dword ptr [esp], edi0_2_0047C5A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B40EF push 1DA8A3F8h; mov dword ptr [esp], esi0_2_006B4139
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060D0C8 push eax; mov dword ptr [esp], ebx0_2_0060D1DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FE0F4 push ebx; mov dword ptr [esp], 4BFFCDD2h0_2_005FE159
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FE0F4 push edi; mov dword ptr [esp], 02F9F321h0_2_005FE17D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FE0F4 push 07037093h; mov dword ptr [esp], eax0_2_005FE281
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B089 push eax; mov dword ptr [esp], 67BB165Eh0_2_0060F288
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004810B1 push edx; mov dword ptr [esp], 02FFDA50h0_2_004810D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047F145 push ecx; mov dword ptr [esp], esp0_2_0047F146
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00480146 push ds; retf 0_2_00480148
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B16F push edi; mov dword ptr [esp], ebx0_2_0060ECA9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B16F push esi; mov dword ptr [esp], ebx0_2_00610056
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064F17E push 124D59B2h; mov dword ptr [esp], eax0_2_0064F949
Source: file.exeStatic PE information: section name: entropy: 7.7732611689992375

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7A34 second address: 5F7A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1858813946h 0x0000000a jmp 00007F185881394Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDF6D second address: 5FDF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE0FA second address: 5FE130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F1858813951h 0x0000000b popad 0x0000000c jmp 00007F1858813958h 0x00000011 pop esi 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE130 second address: 5FE134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE2C4 second address: 5FE2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1858813950h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6015DB second address: 601626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F18593F4D66h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 sub dword ptr [ebp+122D1DD5h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F18593F4D68h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push E2675093h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F18593F4D6Fh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601723 second address: 6017C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 nop 0x00000007 jmp 00007F1858813959h 0x0000000c push 00000000h 0x0000000e xor dword ptr [ebp+122D1DEFh], edx 0x00000014 push B1CB04B6h 0x00000019 jo 00007F1858813957h 0x0000001f jmp 00007F1858813951h 0x00000024 add dword ptr [esp], 4E34FBCAh 0x0000002b mov edi, dword ptr [ebp+122D2FBCh] 0x00000031 push 00000003h 0x00000033 pushad 0x00000034 add dh, 00000060h 0x00000037 push eax 0x00000038 mov dword ptr [ebp+122D328Dh], eax 0x0000003e pop ebx 0x0000003f popad 0x00000040 push 00000000h 0x00000042 jnp 00007F185881394Ch 0x00000048 sub dword ptr [ebp+122D38D3h], ebx 0x0000004e push 00000003h 0x00000050 movsx edx, dx 0x00000053 call 00007F1858813949h 0x00000058 pushad 0x00000059 push edi 0x0000005a push ebx 0x0000005b pop ebx 0x0000005c pop edi 0x0000005d jnc 00007F1858813957h 0x00000063 jmp 00007F1858813951h 0x00000068 popad 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017C2 second address: 6017C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6018C7 second address: 6018D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F185881394Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6018D1 second address: 601920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push esi 0x0000000a mov si, dx 0x0000000d pop edx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F18593F4D68h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a call 00007F18593F4D69h 0x0000002f push eax 0x00000030 push edx 0x00000031 push esi 0x00000032 jmp 00007F18593F4D6Dh 0x00000037 pop esi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601920 second address: 601926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601926 second address: 6019F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007F18593F4D72h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ebx 0x00000014 push eax 0x00000015 jmp 00007F18593F4D72h 0x0000001a pop eax 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007F18593F4D77h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edi 0x0000002a pop edi 0x0000002b pop eax 0x0000002c pop edx 0x0000002d pop eax 0x0000002e mov esi, dword ptr [ebp+122D31E8h] 0x00000034 push 00000003h 0x00000036 mov si, bx 0x00000039 push 00000000h 0x0000003b sbb esi, 487616C3h 0x00000041 push 00000003h 0x00000043 mov edx, 6A6F4206h 0x00000048 push 955E24AEh 0x0000004d jp 00007F18593F4D7Dh 0x00000053 jmp 00007F18593F4D77h 0x00000058 xor dword ptr [esp], 555E24AEh 0x0000005f pushad 0x00000060 jc 00007F18593F4D66h 0x00000066 popad 0x00000067 lea ebx, dword ptr [ebp+12457496h] 0x0000006d mov edi, dword ptr [ebp+122D2E98h] 0x00000073 mov cx, dx 0x00000076 push eax 0x00000077 jnl 00007F18593F4D81h 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007F18593F4D73h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622527 second address: 622532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1858813946h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622532 second address: 622557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F18593F4D70h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622557 second address: 62255C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620363 second address: 620369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620369 second address: 62036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6207DB second address: 620809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jns 00007F18593F4D81h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620964 second address: 620980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1858813950h 0x00000009 js 00007F1858813946h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620D84 second address: 620DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F18593F4D73h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621667 second address: 62166F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62166F second address: 62167B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F18593F4D66h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62167B second address: 62167F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62167F second address: 6216AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F18593F4D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F18593F4D78h 0x00000013 jp 00007F18593F4D66h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621CEC second address: 621CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621E5C second address: 621E75 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F18593F4D66h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F18593F4D6Ah 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621FC0 second address: 621FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621FC4 second address: 621FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623BD1 second address: 623BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1858813959h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623BF1 second address: 623C07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D6Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623C07 second address: 623C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F1858813952h 0x0000000d jng 00007F1858813946h 0x00000013 je 00007F1858813946h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c jmp 00007F1858813958h 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628758 second address: 62875E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62875E second address: 628763 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628CBF second address: 628CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627D8F second address: 627D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627D95 second address: 627D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627D9A second address: 627DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628E44 second address: 628E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5EDE second address: 5F5EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6305E9 second address: 630601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F18593F4D73h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F18593F4D6Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6C99 second address: 5E6C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61550B second address: 615525 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F18593F4D66h 0x00000008 jl 00007F18593F4D66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F18593F4D66h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FCF5 second address: 62FD0B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1858813946h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F1858813946h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE8A second address: 62FE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE94 second address: 62FEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1858813946h 0x0000000a jnp 00007F1858813946h 0x00000010 popad 0x00000011 jbe 00007F1858813958h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6301BE second address: 6301D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D70h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6302FA second address: 630300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63046F second address: 630486 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F18593F4D6Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630486 second address: 630490 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630490 second address: 630496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633E7D second address: 633E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634669 second address: 63466D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634985 second address: 6349BE instructions: 0x00000000 rdtsc 0x00000002 js 00007F1858813948h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F1858813953h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1858813956h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634B1A second address: 634B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6350BD second address: 635131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F1858813946h 0x00000010 jmp 00007F185881394Fh 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 xor di, 60FBh 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D2D09h], esi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F1858813948h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 jp 00007F185881394Ch 0x00000047 jnc 00007F1858813946h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635131 second address: 635136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635999 second address: 6359BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1858813959h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637429 second address: 63742D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637FE3 second address: 637FE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637C83 second address: 637CAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F18593F4D7Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637CAD second address: 637CB7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F185881394Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638A7F second address: 638AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F18593F4D66h 0x00000009 jmp 00007F18593F4D73h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jbe 00007F18593F4D78h 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F18593F4D66h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638AAD second address: 638AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E079 second address: 63E0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnc 00007F18593F4D66h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 sub edi, dword ptr [ebp+122D2FFCh] 0x0000001e push 00000000h 0x00000020 jp 00007F18593F4D6Ch 0x00000026 mov ebx, dword ptr [ebp+122D2F24h] 0x0000002c mov dword ptr [ebp+122D3797h], eax 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F18593F4D68h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov dword ptr [ebp+122DBC6Ah], edi 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E0DB second address: 63E0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E0E1 second address: 63E0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F09E second address: 63F0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F0A3 second address: 63F135 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F18593F4D6Fh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F18593F4D6Ch 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F18593F4D68h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c jg 00007F18593F4D6Ch 0x00000032 mov di, E9E4h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F18593F4D68h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D3507h] 0x00000058 push 00000000h 0x0000005a sbb bx, B5BDh 0x0000005f xchg eax, esi 0x00000060 jp 00007F18593F4D72h 0x00000066 ja 00007F18593F4D6Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F135 second address: 63F14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F185881394Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F14A second address: 63F150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640072 second address: 640078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640078 second address: 64007D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64007D second address: 640093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1858813952h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6410B4 second address: 6410B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64215C second address: 642162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641291 second address: 641297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642162 second address: 642166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641297 second address: 64129B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64129B second address: 641325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F185881394Ah 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1858813948h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 xor dword ptr [ebp+122D3507h], eax 0x0000002f push dword ptr fs:[00000000h] 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F1858813948h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 cmc 0x00000051 mov dword ptr fs:[00000000h], esp 0x00000058 mov edi, 7B32BEF6h 0x0000005d mov eax, dword ptr [ebp+122D07B9h] 0x00000063 mov ebx, dword ptr [ebp+1245E395h] 0x00000069 push FFFFFFFFh 0x0000006b add dword ptr [ebp+122D38F1h], ebx 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 jne 00007F1858813946h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6422FB second address: 642305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F18593F4D66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641325 second address: 641338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F185881394Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643123 second address: 643127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641338 second address: 641351 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F185881394Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642305 second address: 642313 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643127 second address: 643195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jnc 00007F1858813959h 0x00000010 jmp 00007F1858813953h 0x00000015 mov ebx, dword ptr [ebp+124695E9h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F1858813948h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 push ebx 0x00000038 jns 00007F185881394Bh 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 add edi, 4E4EA2D7h 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F185881394Bh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642313 second address: 642319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643195 second address: 6431AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1858813951h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642319 second address: 64231E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64231E second address: 642328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1858813946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642328 second address: 64232C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6432D0 second address: 6432D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644451 second address: 64445E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6432D4 second address: 6432DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6432DA second address: 643351 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov ax, 277Eh 0x0000000e adc ax, 2004h 0x00000013 popad 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F18593F4D68h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c xor dword ptr [ebp+122D3512h], ebx 0x00000042 mov eax, dword ptr [ebp+122D11E5h] 0x00000048 add dword ptr [ebp+1245E6C3h], edx 0x0000004e push FFFFFFFFh 0x00000050 jmp 00007F18593F4D78h 0x00000055 nop 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643351 second address: 643355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646184 second address: 646188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643355 second address: 64335F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1858813946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646188 second address: 64619A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jnp 00007F18593F4D66h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64619A second address: 64619F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64619F second address: 646204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F18593F4D66h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F18593F4D68h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 js 00007F18593F4D6Ch 0x0000002e sub ebx, 285BCDEEh 0x00000034 mov ebx, 50D40364h 0x00000039 push 00000000h 0x0000003b sub dword ptr [ebp+12474D80h], ebx 0x00000041 xor dword ptr [ebp+122D25DAh], esi 0x00000047 push 00000000h 0x00000049 pushad 0x0000004a mov cx, D691h 0x0000004e add bx, 631Ah 0x00000053 popad 0x00000054 push eax 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646204 second address: 646208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472E5 second address: 6472E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64A234 second address: 64A25A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F185881394Ch 0x00000008 js 00007F1858813946h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1858813953h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B1E0 second address: 64B1EA instructions: 0x00000000 rdtsc 0x00000002 js 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B1EA second address: 64B209 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F185881394Ah 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F185881394Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B209 second address: 64B25F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18593F4D6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add dword ptr [ebp+12466F2Eh], esi 0x00000011 push 00000000h 0x00000013 mov edi, ecx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F18593F4D68h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D3108h] 0x00000037 push eax 0x00000038 jp 00007F18593F4D74h 0x0000003e pushad 0x0000003f jnc 00007F18593F4D66h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647412 second address: 647425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F185881394Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647425 second address: 647449 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F18593F4D75h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6493F9 second address: 6493FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6493FD second address: 649403 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649403 second address: 649432 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F185881395Ah 0x00000008 jmp 00007F1858813954h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F185881394Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649432 second address: 649436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64A406 second address: 64A410 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1858813946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649436 second address: 64943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64943C second address: 649442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649442 second address: 649446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D287 second address: 64D28B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6494F6 second address: 649500 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649500 second address: 649526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813958h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F1858813946h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649526 second address: 649539 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F18593F4D66h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64B456 second address: 64B45C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C45F second address: 64C465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D3E0 second address: 64D3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E01A second address: 65E022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E022 second address: 65E02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E02A second address: 65E043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F18593F4D66h 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F18593F4D66h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E043 second address: 65E048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E2F9 second address: 65E2FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664026 second address: 66402C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664130 second address: 664134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664134 second address: 664138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664240 second address: 664246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664246 second address: 66424C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66424C second address: 664250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A74B second address: 66A75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F185881394Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A75E second address: 66A77C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a jbe 00007F18593F4D6Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F18593F4D66h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A77C second address: 66A798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813958h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AA36 second address: 66AA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AA3C second address: 66AA46 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1858813946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AA46 second address: 66AA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007F18593F4D66h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AA57 second address: 66AA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AEE8 second address: 66AEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AEED second address: 66AEFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F1858813946h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AEFD second address: 66AF1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F18593F4D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F18593F4D6Bh 0x00000015 push ebx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AF1C second address: 66AF26 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F185881394Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBCE6 second address: 5EBCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F18593F4D66h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBCF3 second address: 5EBD11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813959h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F73D second address: 66F741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F741 second address: 66F747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F747 second address: 66F74C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FA46 second address: 66FA50 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1858813946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66FD2A second address: 66FD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18593F4D6Ah 0x00000009 pop eax 0x0000000a jmp 00007F18593F4D71h 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6701A3 second address: 6701A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670464 second address: 670479 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F18593F4D70h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670775 second address: 67077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632342 second address: 632346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632346 second address: 63234A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63234A second address: 632350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632350 second address: 632355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632355 second address: 63235B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632811 second address: 632827 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F185881394Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632827 second address: 63282D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63282D second address: 632831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6328AA second address: 6328AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6328AE second address: 6328B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632939 second address: 63294D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18593F4D6Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63294D second address: 632990 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 119CC77Dh 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F1858813948h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 or di, 2C6Bh 0x0000002e call 00007F1858813949h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632990 second address: 632994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632994 second address: 6329AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813954h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6329AC second address: 6329B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6329B1 second address: 632A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1858813946h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jbe 00007F185881395Eh 0x00000014 jmp 00007F1858813958h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e jmp 00007F185881394Dh 0x00000023 pushad 0x00000024 jnp 00007F1858813946h 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d popad 0x0000002e mov eax, dword ptr [eax] 0x00000030 jmp 00007F1858813951h 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 pushad 0x0000003a js 00007F1858813956h 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F1858813956h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632B34 second address: 632B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F18593F4D68h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jbe 00007F18593F4D68h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F18593F4D77h 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d mov cl, EEh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 jbe 00007F18593F4D66h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63322B second address: 633256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F185881394Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c sub dword ptr [ebp+122D2979h], edx 0x00000012 push 0000001Eh 0x00000014 mov edx, dword ptr [ebp+122D36ECh] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F1858813946h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6334CA second address: 6334DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6334DB second address: 6334DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6334DF second address: 63353E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F18593F4D6Dh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F18593F4D70h 0x00000016 jmp 00007F18593F4D73h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jg 00007F18593F4D6Eh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 jmp 00007F18593F4D6Ah 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63361F second address: 633655 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D3748h], ecx 0x00000011 lea eax, dword ptr [ebp+124880EAh] 0x00000017 push ecx 0x00000018 jmp 00007F185881394Ch 0x0000001d pop edi 0x0000001e nop 0x0000001f push ecx 0x00000020 jo 00007F1858813948h 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633655 second address: 633659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677F4A second address: 677F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677F4E second address: 677F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F18593F4D6Ah 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677F65 second address: 677F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813959h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jnl 00007F1858813946h 0x00000012 jmp 00007F185881394Bh 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677F97 second address: 677FC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F18593F4D68h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F18593F4D79h 0x00000011 jns 00007F18593F4D66h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678125 second address: 678144 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1858813946h 0x00000008 jmp 00007F1858813955h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6782A8 second address: 6782AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E1A8 second address: 67E1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1858813946h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F1858813946h 0x00000012 jbe 00007F1858813946h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E1C3 second address: 67E1D8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F18593F4D68h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F18593F4D76h 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D146 second address: 67D14F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D2C7 second address: 67D2D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007F18593F4D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D586 second address: 67D58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D71B second address: 67D739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18593F4D76h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F93DA second address: 5F93FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F185881398Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F1858813946h 0x00000014 jmp 00007F1858813951h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6884FD second address: 688503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688503 second address: 688528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F1858813960h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F1858813958h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688528 second address: 68852D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B089 second address: 68B0AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jc 00007F1858813946h 0x0000000b popad 0x0000000c jg 00007F1858813952h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B0AD second address: 68B0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F18593F4D66h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F18593F4D70h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop eax 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6902A7 second address: 6902B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6902B5 second address: 6902B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6906CE second address: 6906D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6906D2 second address: 6906D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6906D6 second address: 6906E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6906E0 second address: 6906EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F18593F4D66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632FEC second address: 633065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813957h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+124880E5h] 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F1858813948h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c jmp 00007F1858813953h 0x00000031 add eax, ebx 0x00000033 jmp 00007F1858813956h 0x00000038 nop 0x00000039 pushad 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633065 second address: 63306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690815 second address: 690819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690819 second address: 690837 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F18593F4D66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F18593F4D6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690837 second address: 69083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69083B second address: 69084A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69084A second address: 690864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 je 00007F1858813946h 0x0000000e jng 00007F1858813946h 0x00000014 popad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694C64 second address: 694C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F18593F4D66h 0x0000000c jmp 00007F18593F4D75h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694C86 second address: 694C9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1858813950h 0x00000008 pop ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 694F27 second address: 694F4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F18593F4D66h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695207 second address: 69521D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F185881394Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69521D second address: 695228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695228 second address: 69522E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69522E second address: 695240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 ja 00007F18593F4D66h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698819 second address: 698844 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813955h 0x00000007 jmp 00007F1858813952h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F287F second address: 5F2885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2885 second address: 5F2893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F1858813948h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2893 second address: 5F2898 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2898 second address: 5F289E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F289E second address: 5F28B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F18593F4D6Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698246 second address: 69824A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EEB6 second address: 69EEE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D77h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F18593F4D6Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F052 second address: 69F06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1858813958h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F06F second address: 69F075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F392 second address: 69F396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F396 second address: 69F39A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F6E3 second address: 69F6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F6E7 second address: 69F6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F18593F4D6Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F9CF second address: 69F9EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813956h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FCAC second address: 69FCB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0AEB second address: 6A0B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1858813955h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0B04 second address: 6A0B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0B08 second address: 6A0B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5B3B second address: 6A5B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5B41 second address: 6A5B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F185881394Ch 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8779 second address: 5E87AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D77h 0x00000007 jl 00007F18593F4D66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F18593F4D72h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4D23 second address: 6A4D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4D27 second address: 6A4D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4D35 second address: 6A4D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A556C second address: 6A5572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5572 second address: 6A5578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF1FB second address: 5EF201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACB28 second address: 6ACB4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813950h 0x00000007 jnl 00007F185881394Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F185881396Dh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACB4F second address: 6ACB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18593F4D6Fh 0x00000009 jbe 00007F18593F4D66h 0x0000000f popad 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2EFE second address: 6B2F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3036 second address: 6B3040 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F18593F4D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3040 second address: 6B3047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31B6 second address: 6B31BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31BB second address: 6B31C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31C1 second address: 6B31C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31C7 second address: 6B31F5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1858813946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F185881394Ch 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F1858813953h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3713 second address: 6B3728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F18593F4D66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jns 00007F18593F4D66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3728 second address: 6B3740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1858813950h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3EA6 second address: 6B3EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3EAA second address: 6B3EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3EAE second address: 6B3EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F18593F4D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B483D second address: 6B4855 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F185881394Eh 0x00000008 ja 00007F185881394Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2662 second address: 6B2674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F18593F4D6Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7027 second address: 6B7039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jno 00007F1858813946h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8810 second address: 6B881C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F18593F4D66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B881C second address: 6B8821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8821 second address: 6B8851 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F18593F4D6Ch 0x00000008 jmp 00007F18593F4D70h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F18593F4D6Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE0A1 second address: 6BE0D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007F1858813946h 0x00000010 jmp 00007F185881394Eh 0x00000015 popad 0x00000016 jmp 00007F1858813955h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDB46 second address: 6BDB70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D74h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F18593F4D72h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CFA0F second address: 6CFA19 instructions: 0x00000000 rdtsc 0x00000002 je 00007F185881394Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D27DB second address: 6D27DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D27DF second address: 6D2805 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1858813946h 0x00000008 jmp 00007F1858813952h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F1858813946h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2805 second address: 6D280D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D280D second address: 6D2822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1858813951h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2371 second address: 6D2375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73B1 second address: 6D73B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73B5 second address: 6D73B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5EB4 second address: 6D5EB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5FF5 second address: 6D5FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA5CF second address: 6DA5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1858813946h 0x0000000a pop eax 0x0000000b jnc 00007F1858813960h 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0BD4 second address: 6E0BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0A1C second address: 6E0A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0A20 second address: 6E0A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18593F4D78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F18593F4D68h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F18593F4D6Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0A55 second address: 6E0A68 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1858813946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E83F4 second address: 6E83F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E855F second address: 6E8565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8565 second address: 6E856A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E87F1 second address: 6E87F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E87F5 second address: 6E87FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E87FB second address: 6E8810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F185881394Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8810 second address: 6E8843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F18593F4D72h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F18593F4D78h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBD67 second address: 6FBD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBBCF second address: 6FBBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714B98 second address: 714BA9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1858813946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714BA9 second address: 714BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18593F4D78h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jc 00007F18593F4D66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714BD0 second address: 714BDA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1858813946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714BDA second address: 714BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714BE0 second address: 714BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F185881394Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713DB3 second address: 713DBD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71422E second address: 714232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714232 second address: 714254 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F18593F4D79h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7143B1 second address: 7143B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7143B7 second address: 7143C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7143C1 second address: 7143C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714566 second address: 71456E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71456E second address: 71459A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F185881394Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1858813955h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71D147 second address: 71D14B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72076F second address: 72077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72077A second address: 720794 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F18593F4D6Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F18593F4D66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7202F6 second address: 720303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F1858813946h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720303 second address: 720323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F18593F4D71h 0x0000000e push edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7222F8 second address: 722302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1858813946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722302 second address: 72232D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18593F4D6Fh 0x00000008 jno 00007F18593F4D66h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72232D second address: 722333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722333 second address: 722339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717B9F second address: 717BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717EAE second address: 717EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717EB5 second address: 717EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F185881394Ah 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jno 00007F1858813962h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718F44 second address: 718F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 47DF56 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6525D6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6C0462 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 481744 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4DA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6DA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 rdtsc 0_2_005FDB67
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5452Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00661E8F GetSystemInfo,VirtualAlloc,0_2_00661E8F
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDB67 rdtsc 0_2_005FDB67
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047B7CA LdrInitializeThunk,0_2_0047B7CA
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: nProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065766E GetSystemTime,GetFileTime,0_2_0065766E

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
41
Disable or Modify Tools
LSASS Memory641
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control
261
Virtualization/Sandbox Evasion
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS261
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA Secrets24
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1559008
    Start date and time:2024-11-20 03:19:08 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 41s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    bg.microsoft.map.fastly.netBenefit Enrollment -wZ5nusm.pdfGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    6GvQSVIEIu.exeGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    Benefit Enrollment -eGz8VNb.pdfGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    217469812STM.pdfGet hashmaliciousScreenConnect Tool, PhisherBrowse
    • 199.232.210.172
    file.exeGet hashmaliciousRemcosBrowse
    • 199.232.214.172
    file.exeGet hashmaliciousCredential FlusherBrowse
    • 199.232.210.172
    beacon_x64.exeGet hashmaliciousCobaltStrikeBrowse
    • 199.232.210.172
    DellTpm1.2_Fw5.81.2.1_V3_64.exeGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
    • 199.232.210.172
    phish_alert_sp2_2.0.0.0 (7).emlGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    No context
    No context
    No context
    Process:C:\Users\user\Desktop\file.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.4856441773881786
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'847'744 bytes
    MD5:8016e5d93e55bb0356c789bb6ba0bdbe
    SHA1:d22bb6723ea29ff986bdbcda2943b6f77f9121e6
    SHA256:683609cf5dad7e5a984bf4ebab65c2fa2a6d59724507b7c5e9d240932f2994a4
    SHA512:02a0988cdf9fad5e64893c9271ca4b7cd9008214193c713b1e068912461a7e4d01342c97c96ab0091c25c7444705ba516ef7349ead6843f9cfb9127278d1d0c0
    SSDEEP:24576:hrIAqSlyHUp/CpYC0PXgE7qtliQJAmn7qdfYKs0ufkqhrLKN5KOVCOo7fU7wBBZF:hUulZ4QaE7hN5KKo7MsBBL0DuWZB9I
    TLSH:13D53BA2B90572CFD88A27B85527CDC2595D47B90B1588D3DCB874BA7E73CC122BBC18
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ....................... ,......%,...`................................
    Icon Hash:00928e8e8686b000
    Entrypoint:0x6be000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b
    Instruction
    jmp 00007F18593E9A1Ah
    rsqrtps xmm5, dqword ptr [ebx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add cl, ch
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [0000000Ah], al
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    and al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax+00000000h], eax
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [edx], ecx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x1200d9bddb36b7fd1cbd4577902b95732fd3False0.9307725694444444data7.7732611689992375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    jwaseymg0xa0000x2b20000x2b140099e44771cfd670478379a63c0163e87cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    reksrrmv0x2bc0000x20000x4007076913c94571e3d6588e6f87b56e34cFalse0.787109375data6.188617823505462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2be0000x40000x22003019bdaec025eb0976ac79baeb8d735bFalse0.05514705882352941DOS executable (COM)0.8171357940523709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
    DLLImport
    kernel32.dlllstrcpy
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 20, 2024 03:20:10.678772926 CET1.1.1.1192.168.2.50x9567No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
    Nov 20, 2024 03:20:10.678772926 CET1.1.1.1192.168.2.50x9567No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:21:20:17
    Start date:19/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x470000
    File size:2'847'744 bytes
    MD5 hash:8016E5D93E55BB0356C789BB6BA0BDBE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Reset < >

      Execution Graph

      Execution Coverage:6.4%
      Dynamic/Decrypted Code Coverage:3.5%
      Signature Coverage:5.5%
      Total number of Nodes:344
      Total number of Limit Nodes:20
      execution_graph 7631 4d41510 7632 4d41558 ControlService 7631->7632 7633 4d4158f 7632->7633 7863 4d410f0 7864 4d41131 7863->7864 7867 656275 7864->7867 7865 4d41151 7868 653521 2 API calls 7867->7868 7869 656281 7868->7869 7870 6562aa 7869->7870 7871 65629a 7869->7871 7873 6562af CloseHandle 7870->7873 7875 655361 7871->7875 7874 6562a0 7873->7874 7874->7865 7878 6533cc 7875->7878 7879 6533e2 7878->7879 7881 6533fc 7879->7881 7882 6533b0 7879->7882 7881->7874 7885 65533a CloseHandle 7882->7885 7884 6533c0 7884->7881 7886 65534e 7885->7886 7886->7884 7634 6551e3 7641 653521 GetCurrentThreadId 7634->7641 7636 6551ef 7637 65520d 7636->7637 7645 653c33 7636->7645 7639 65523e GetModuleHandleExA 7637->7639 7640 655215 7637->7640 7639->7640 7642 653539 7641->7642 7643 653580 7642->7643 7644 65356f Sleep 7642->7644 7643->7636 7644->7642 7646 653c81 7645->7646 7647 653c44 7645->7647 7646->7637 7647->7646 7649 653ad4 7647->7649 7650 653b01 7649->7650 7651 653b2f PathAddExtensionA 7650->7651 7652 653b4a 7650->7652 7660 653c07 7650->7660 7651->7652 7656 653b6c 7652->7656 7661 653775 7652->7661 7653 653bb5 7655 653bde 7653->7655 7658 653775 lstrcmpiA 7653->7658 7653->7660 7659 653775 lstrcmpiA 7655->7659 7655->7660 7656->7653 7657 653775 lstrcmpiA 7656->7657 7656->7660 7657->7653 7658->7655 7659->7660 7660->7647 7662 653793 7661->7662 7663 6537aa 7662->7663 7665 6536f2 7662->7665 7663->7656 7666 65371d 7665->7666 7667 65374f lstrcmpiA 7666->7667 7668 653765 7666->7668 7667->7668 7668->7663 7887 60ad07 7888 60b498 LoadLibraryA 7887->7888 7892 661e8f GetSystemInfo 7893 661eaf 7892->7893 7894 661eed VirtualAlloc 7892->7894 7893->7894 7907 6621db 7894->7907 7896 661f34 7897 6621db VirtualAlloc GetModuleFileNameA VirtualProtect 7896->7897 7906 662009 7896->7906 7899 661f5e 7897->7899 7898 662025 GetModuleFileNameA VirtualProtect 7900 661fcd 7898->7900 7901 6621db VirtualAlloc GetModuleFileNameA VirtualProtect 7899->7901 7899->7906 7902 661f88 7901->7902 7903 6621db VirtualAlloc GetModuleFileNameA VirtualProtect 7902->7903 7902->7906 7904 661fb2 7903->7904 7904->7900 7905 6621db VirtualAlloc GetModuleFileNameA VirtualProtect 7904->7905 7904->7906 7905->7906 7906->7898 7906->7900 7909 6621e3 7907->7909 7910 6621f7 7909->7910 7911 66220f 7909->7911 7917 6620a7 7910->7917 7913 6620a7 2 API calls 7911->7913 7914 662220 7913->7914 7919 662232 7914->7919 7922 6620af 7917->7922 7920 662243 VirtualAlloc 7919->7920 7921 66222e 7919->7921 7920->7921 7923 6620c2 7922->7923 7924 6626fa 2 API calls 7923->7924 7925 662105 7923->7925 7924->7925 7669 662f2b 7671 662f37 7669->7671 7672 662f54 7671->7672 7675 654e4e 7672->7675 7677 654e57 7675->7677 7678 654e66 7677->7678 7679 654e6e 7678->7679 7681 653521 2 API calls 7678->7681 7680 654e9b GetProcAddress 7679->7680 7686 654e91 7680->7686 7682 654e78 7681->7682 7683 654e96 7682->7683 7684 654e88 7682->7684 7683->7680 7687 6548af 7684->7687 7688 6548ce 7687->7688 7692 65499b 7687->7692 7689 65490b lstrcmpiA 7688->7689 7690 654935 7688->7690 7688->7692 7689->7688 7689->7690 7690->7692 7693 6547f8 7690->7693 7692->7686 7694 654809 7693->7694 7698 654894 7694->7698 7703 6535ff 7694->7703 7697 654839 lstrcpyn 7697->7698 7699 654855 7697->7699 7698->7692 7699->7698 7707 653d3d 7699->7707 7702 654e4e 18 API calls 7702->7698 7704 653609 7703->7704 7705 653620 7704->7705 7706 653612 RtlAllocateHeap 7704->7706 7705->7697 7705->7698 7706->7705 7717 654b80 7707->7717 7709 653d50 7710 653da2 7709->7710 7711 653d79 7709->7711 7716 653d96 7709->7716 7713 654d71 3 API calls 7710->7713 7720 65329a 7711->7720 7713->7716 7716->7698 7716->7702 7725 654be7 7717->7725 7719 654b95 7719->7709 7721 6535ff RtlAllocateHeap 7720->7721 7722 6532a8 7721->7722 7722->7716 7723 654d71 7722->7723 7770 654d7d 7723->7770 7727 654bf4 7725->7727 7728 654c0a 7727->7728 7729 654c2f 7728->7729 7739 654c12 7728->7739 7744 663102 7728->7744 7731 653521 2 API calls 7729->7731 7736 654c34 7731->7736 7732 654cf2 7734 654d10 LoadLibraryExA 7732->7734 7735 654cfc LoadLibraryExW 7732->7735 7733 654cdf 7766 654a1f 7733->7766 7743 654cb6 7734->7743 7735->7743 7738 653c33 2 API calls 7736->7738 7740 654c45 7738->7740 7739->7732 7739->7733 7740->7739 7741 654c73 7740->7741 7746 65455f 7741->7746 7745 663111 GetCurrentThreadId Sleep lstrcmpiA PathAddExtensionA 7744->7745 7747 65457b 7746->7747 7748 654585 7746->7748 7747->7743 7749 653db2 VirtualAlloc 7748->7749 7750 6545a5 7749->7750 7750->7747 7751 653e58 VirtualAlloc 7750->7751 7752 6545c5 7751->7752 7754 653ed5 VirtualAlloc 7752->7754 7764 65467f 7752->7764 7753 654d71 GetCurrentThreadId Sleep FreeLibrary 7753->7747 7755 6545d5 7754->7755 7756 654602 7755->7756 7757 653f90 lstrcmpiA 7755->7757 7755->7764 7758 65422b 19 API calls 7756->7758 7757->7756 7759 65460d 7758->7759 7760 6541a2 VirtualProtect 7759->7760 7759->7764 7761 65463a 7760->7761 7762 654662 7761->7762 7763 662d57 VirtualProtect 7761->7763 7761->7764 7762->7764 7765 662a50 GetModuleFileNameA VirtualProtect 7762->7765 7763->7762 7764->7747 7764->7753 7765->7764 7767 654a2a 7766->7767 7768 654a4b LoadLibraryExA 7767->7768 7769 654a3a 7767->7769 7768->7769 7769->7743 7771 654d8c 7770->7771 7773 653521 2 API calls 7771->7773 7775 654d94 7771->7775 7772 654de2 FreeLibrary 7778 654dc9 7772->7778 7774 654d9e 7773->7774 7774->7775 7776 654dae 7774->7776 7775->7772 7779 65475f 7776->7779 7780 6547c2 7779->7780 7781 654782 7779->7781 7780->7778 7781->7780 7783 65331b 7781->7783 7786 653324 7783->7786 7784 65333c 7784->7780 7785 653302 GetCurrentThreadId Sleep FreeLibrary 7785->7786 7786->7784 7786->7785 7787 47b7ca 7788 47b7cf 7787->7788 7789 47b93a LdrInitializeThunk 7788->7789 7790 657e6b 7792 657e74 7790->7792 7793 653521 2 API calls 7792->7793 7794 657e80 7793->7794 7795 657ed0 ReadFile 7794->7795 7796 657e99 7794->7796 7795->7796 7797 662e29 7799 662e35 7797->7799 7800 662e47 7799->7800 7803 662a50 7800->7803 7805 662ae4 7803->7805 7806 662a61 7803->7806 7806->7805 7807 6628bb VirtualProtect 7806->7807 7808 6626fa 7806->7808 7807->7806 7811 662701 7808->7811 7810 66274b 7810->7806 7811->7810 7813 662608 7811->7813 7817 6628bb 7811->7817 7814 66261d 7813->7814 7815 6626a7 GetModuleFileNameA 7814->7815 7816 6626dd 7814->7816 7815->7814 7816->7811 7819 6628cf 7817->7819 7818 6628e7 7818->7811 7819->7818 7820 662a0a VirtualProtect 7819->7820 7820->7819 7823 657af1 7825 657afd 7823->7825 7826 653521 2 API calls 7825->7826 7827 657b09 7826->7827 7832 65365d 7827->7832 7831 657b29 7833 65367b 7832->7833 7834 6535ff RtlAllocateHeap 7833->7834 7835 653685 7834->7835 7835->7831 7836 657a48 7835->7836 7838 657a54 7836->7838 7839 657a68 7838->7839 7840 653521 2 API calls 7839->7840 7841 657a80 7840->7841 7849 653c85 7841->7849 7844 653c33 2 API calls 7845 657aa3 7844->7845 7846 657aab 7845->7846 7847 657ac7 GetFileAttributesW 7845->7847 7848 657ad8 GetFileAttributesA 7845->7848 7847->7846 7848->7846 7850 653d39 7849->7850 7851 653c99 7849->7851 7850->7844 7850->7846 7851->7850 7852 653ad4 2 API calls 7851->7852 7852->7851 7926 655090 7928 65509c 7926->7928 7929 6550b0 7928->7929 7931 6550b8 7928->7931 7930 65365d RtlAllocateHeap 7929->7930 7930->7931 7933 6550d8 7931->7933 7934 6550f1 7931->7934 7936 6550fa 7934->7936 7937 655109 7936->7937 7938 653521 2 API calls 7937->7938 7945 655111 7937->7945 7941 65511b 7938->7941 7939 6551b4 GetModuleHandleW 7944 655149 7939->7944 7940 6551c2 GetModuleHandleA 7940->7944 7942 655136 7941->7942 7943 653c33 2 API calls 7941->7943 7942->7944 7942->7945 7943->7942 7945->7939 7945->7940 7946 662e93 7948 662e9f 7946->7948 7949 662eb1 7948->7949 7950 654b80 19 API calls 7949->7950 7951 662ec0 7950->7951 7952 662ed9 7951->7952 7953 662a50 2 API calls 7951->7953 7953->7952 7954 5fdb67 LoadLibraryA 7955 5fdb6f 7954->7955 7956 47e7ff 7957 47ec69 VirtualAlloc 7956->7957 7958 47ee51 7957->7958 7959 65525c 7961 655268 7959->7961 7962 65527c 7961->7962 7964 655284 7961->7964 7963 65365d RtlAllocateHeap 7962->7963 7963->7964 7965 6575dc 7966 653521 2 API calls 7965->7966 7967 6575e8 GetCurrentProcess 7966->7967 7968 657634 7967->7968 7969 6575f8 7967->7969 7970 657639 DuplicateHandle 7968->7970 7969->7968 7971 657623 7969->7971 7973 65762f 7970->7973 7974 655379 7971->7974 7975 6553a3 7974->7975 7978 6553f1 7975->7978 7980 653341 7975->7980 7977 655436 7977->7973 7978->7977 7979 655361 CloseHandle 7978->7979 7979->7977 7981 6535ff RtlAllocateHeap 7980->7981 7982 65334f 7981->7982 7982->7978 7983 662edf 7985 662eeb 7983->7985 7986 662efd 7985->7986 7991 654b99 7986->7991 7988 662f0c 7989 662f25 7988->7989 7990 662a50 GetModuleFileNameA VirtualProtect 7988->7990 7990->7989 7993 654ba5 7991->7993 7994 65365d RtlAllocateHeap 7993->7994 7995 654bba 7994->7995 7996 654be7 19 API calls 7995->7996 7997 654bd8 7995->7997 7996->7997 7853 4d40d48 7854 4d40d93 OpenSCManagerW 7853->7854 7856 4d40ddc 7854->7856 7857 4d41308 7858 4d41349 ImpersonateLoggedOnUser 7857->7858 7859 4d41376 7858->7859 7860 654d38 7861 654b80 19 API calls 7860->7861 7862 654d4b 7861->7862 7998 657d58 8000 657d64 7998->8000 8001 653521 2 API calls 8000->8001 8002 657d70 8001->8002 8003 65365d RtlAllocateHeap 8002->8003 8004 657d88 8003->8004 8006 657d90 8004->8006 8007 657c64 8004->8007 8009 657c70 8007->8009 8010 657c84 8009->8010 8011 653521 2 API calls 8010->8011 8012 657c9c 8011->8012 8013 657cb1 8012->8013 8036 657b7d 8012->8036 8017 657cb9 8013->8017 8025 657c22 IsBadWritePtr 8013->8025 8020 657d2d CreateFileA 8017->8020 8021 657d0a CreateFileW 8017->8021 8018 653c33 2 API calls 8019 657cec 8018->8019 8019->8017 8022 657cf4 8019->8022 8024 657cfa 8020->8024 8021->8024 8027 655477 8022->8027 8026 657c44 8025->8026 8026->8017 8026->8018 8028 6535ff RtlAllocateHeap 8027->8028 8030 655484 8028->8030 8029 6554bd CreateFileA 8032 655509 8029->8032 8030->8029 8031 65557f 8030->8031 8031->8024 8032->8031 8033 653341 RtlAllocateHeap 8032->8033 8034 65556b 8033->8034 8034->8031 8035 65533a CloseHandle 8034->8035 8035->8031 8038 657b8c GetWindowsDirectoryA 8036->8038 8039 657bb6 8038->8039 8040 655c5b 8041 655c72 8040->8041 8048 655c84 8040->8048 8044 6535ff RtlAllocateHeap 8041->8044 8042 6535ff RtlAllocateHeap 8045 655ca2 8042->8045 8043 655d6f 8044->8048 8045->8043 8046 655cdb CreateFileA 8045->8046 8047 655d20 8046->8047 8047->8043 8049 653341 RtlAllocateHeap 8047->8049 8048->8042 8048->8043 8050 655d5b 8049->8050 8050->8043 8051 65533a CloseHandle 8050->8051 8051->8043

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 134 661e8f-661ea9 GetSystemInfo 135 661eaf-661ee7 134->135 136 661eed-661f36 VirtualAlloc call 6621db 134->136 135->136 140 66201c call 662025 136->140 141 661f3c-661f60 call 6621db 136->141 146 662021 140->146 141->140 147 661f66-661f8a call 6621db 141->147 148 662023-662024 146->148 147->140 151 661f90-661fb4 call 6621db 147->151 151->140 154 661fba-661fc7 151->154 155 661fed-662004 call 6621db 154->155 156 661fcd-661fe8 154->156 158 662009-66200b 155->158 160 662017 156->160 158->140 161 662011 158->161 160->148 161->160
      APIs
      • GetSystemInfo.KERNELBASE(?,-11E55FEC), ref: 00661E9B
      • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00661EFC
      Memory Dump Source
      • Source File: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocInfoSystemVirtual
      • String ID:
      • API String ID: 3440192736-0
      • Opcode ID: 01bfafecf76a6a0d096a515ce9d0782433c2973a99af1a2f8c54efdc54e9de64
      • Instruction ID: b1cda726eed7f1383753827764036e9d7f8815ac109b8be3608b4fb130a651f6
      • Opcode Fuzzy Hash: 01bfafecf76a6a0d096a515ce9d0782433c2973a99af1a2f8c54efdc54e9de64
      • Instruction Fuzzy Hash: 7E410FB2900607AFE729DF608845BA6B7ADFF48740F084066A602DE982D67095D0CBE4

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 289 5fdb67-5fdb69 LoadLibraryA 290 5fdb6f 289->290 291 5fdb97-5fdb98 289->291 294 5fdb79-5fdb96 290->294 295 5fdb75-5fdb78 290->295 292 5fdb9e-5fdb9f 291->292 293 5fdba0-5fdcc8 291->293 292->293 294->291 295->294
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 96cb221779b5dbcc095fd7fe7016ab78a518651b4a214e31075fe6d9429018c9
      • Instruction ID: f97d8e7c4d161b206725514d963da37aee29b934abef77074884ed637e4111ea
      • Opcode Fuzzy Hash: 96cb221779b5dbcc095fd7fe7016ab78a518651b4a214e31075fe6d9429018c9
      • Instruction Fuzzy Hash: 0C317AB2408220AFD7117F19D841A7EFBF9EF84760F164C2EE6D483240D6345854CBAB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID:
      • String ID: !!iH
      • API String ID: 0-3430752988
      • Opcode ID: ca44ed21baaabe4879d936ed9fa82d122553004928ec54e3e91f042c58538119
      • Instruction ID: 3f06333d2cf9a3365ea93b605f5159cccdc8412b68525ffc43a68cdbaa8921cc
      • Opcode Fuzzy Hash: ca44ed21baaabe4879d936ed9fa82d122553004928ec54e3e91f042c58538119
      • Instruction Fuzzy Hash: 14E08CB11046899ACF26AF618D027E9360ADB40704F61852BBB199AE59CB2D081287DA

      Control-flow Graph

      APIs
      • LoadLibraryExW.KERNEL32(?,?,?), ref: 00654D05
      • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00654D19
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: .dll$.exe$1002
      • API String ID: 1029625771-847511843
      • Opcode ID: 358ec6fe12954e0231828ce312f580ecdc7637299f5c27dffa6dd29b78a2e632
      • Instruction ID: 43d388b8e600e9a72b5ff0207fbe748956efa8482217ac92ad70a73debbeb9f6
      • Opcode Fuzzy Hash: 358ec6fe12954e0231828ce312f580ecdc7637299f5c27dffa6dd29b78a2e632
      • Instruction Fuzzy Hash: 1131DC31405109EFDF20AF50D908AAD7B77FF4834AF1082A9FD0656221CF318AE9DB95

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 40 6550fa-65510b call 654a5e 43 655116-65511f call 653521 40->43 44 655111 40->44 51 655125-655131 call 653c33 43->51 52 655153-65515a 43->52 45 6551aa-6551ae 44->45 47 6551b4-6551bd GetModuleHandleW 45->47 48 6551c2-6551c5 GetModuleHandleA 45->48 50 6551cb 47->50 48->50 54 6551d5-6551d7 50->54 58 655136-655138 51->58 55 6551a5 call 6535cc 52->55 56 655160-655167 52->56 55->45 56->55 59 65516d-655174 56->59 58->55 60 65513e-655143 58->60 59->55 61 65517a-655181 59->61 60->55 62 655149-6551d0 call 6535cc 60->62 61->55 63 655187-65519b 61->63 62->54 63->55
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,?,0065508C,?,00000000,00000000), ref: 006551B7
      • GetModuleHandleA.KERNEL32(00000000,?,?,?,0065508C,?,00000000,00000000), ref: 006551C5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: HandleModule
      • String ID: .dll
      • API String ID: 4139908857-2738580789
      • Opcode ID: cfd50e139286997a4db959d9dcea00596d4387b78d3f76fe261e0eb5551cd6fb
      • Instruction ID: 5a0370a8d80c61d48150401175ad854dd85b9289c23cd06686c7efbc3352396e
      • Opcode Fuzzy Hash: cfd50e139286997a4db959d9dcea00596d4387b78d3f76fe261e0eb5551cd6fb
      • Instruction Fuzzy Hash: FB112A30104E0AEAFF319FA4C81D7A97BB6FF00746F114225AC02456E1DBB19ADDDA91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 657a54-657a62 68 657a74 67->68 69 657a68-657a6f 67->69 70 657a7b-657a91 call 653521 call 653c85 68->70 69->70 75 657a97-657aa5 call 653c33 70->75 76 657ab0 70->76 82 657abc-657ac1 75->82 83 657aab 75->83 78 657ab4-657ab7 76->78 80 657ae7-657aee call 6535cc 78->80 85 657ac7-657ad3 GetFileAttributesW 82->85 86 657ad8-657adb GetFileAttributesA 82->86 83->78 87 657ae1-657ae2 85->87 86->87 87->80
      APIs
      • GetFileAttributesW.KERNELBASE(00CBA294,-11E55FEC), ref: 00657ACD
      • GetFileAttributesA.KERNEL32(00000000,-11E55FEC), ref: 00657ADB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 792bbb73e90ad588ec20ed8874b95218dae97b82b5967c8914271a96dfad9083
      • Instruction ID: f836b82cbb8f0a5eb39fea96e09dc54e2a369dd046f84936c076aacb0ecbe285
      • Opcode Fuzzy Hash: 792bbb73e90ad588ec20ed8874b95218dae97b82b5967c8914271a96dfad9083
      • Instruction Fuzzy Hash: 1A018170508509FAEF11DF64ED09B9DBE72EF40386F104158EC03651A1C7B09B9EEB04

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 88 653ad4-653b04 90 653c2f-653c30 88->90 91 653b0a-653b1f 88->91 91->90 93 653b25-653b29 91->93 94 653b2f-653b41 PathAddExtensionA 93->94 95 653b4b-653b52 93->95 100 653b4a 94->100 96 653b74-653b7b 95->96 97 653b58-653b67 call 653775 95->97 98 653b81-653b88 96->98 99 653bbd-653bc4 96->99 106 653b6c-653b6e 97->106 102 653ba1-653bb0 call 653775 98->102 103 653b8e-653b97 98->103 104 653be6-653bed 99->104 105 653bca-653be0 call 653775 99->105 100->95 112 653bb5-653bb7 102->112 103->102 107 653b9d 103->107 110 653bf3-653c09 call 653775 104->110 111 653c0f-653c16 104->111 105->90 105->104 106->90 106->96 107->102 110->90 110->111 111->90 115 653c1c-653c29 call 6537ae 111->115 112->90 112->99 115->90
      APIs
      • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00653B36
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: ExtensionPath
      • String ID: \\?\
      • API String ID: 158807944-4282027825
      • Opcode ID: 70957b4d9221fbe0900758849eb50fdfd68b5a57f10b9890b5a8a5da8d5aeb7f
      • Instruction ID: 1e1fbc0a3b6346b55aeb620d5d943bbd6694433aaa18362d9c21b12587a75b55
      • Opcode Fuzzy Hash: 70957b4d9221fbe0900758849eb50fdfd68b5a57f10b9890b5a8a5da8d5aeb7f
      • Instruction Fuzzy Hash: 8431397590021EBFEF219F94CD09BDEBAB7FF08B82F001554F901A5260E7329A69DB54

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 119 6551e3-6551f6 call 653521 122 6551fc-655208 call 653c33 119->122 123 655239-65524d call 6535cc GetModuleHandleExA 119->123 126 65520d-65520f 122->126 129 655257-655259 123->129 126->123 128 655215-65521c 126->128 130 655225-655252 call 6535cc 128->130 131 655222 128->131 130->129 131->130
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00655247
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CurrentHandleModuleSleepThread
      • String ID: .dll
      • API String ID: 683542999-2738580789
      • Opcode ID: 9cfabc2b5ee789634854123035e761024b29884061b605687579e819e37c4e39
      • Instruction ID: 86c359be34123636f5e7be88410e1442caac0f7434a47b507fcbf49a7d3863cc
      • Opcode Fuzzy Hash: 9cfabc2b5ee789634854123035e761024b29884061b605687579e819e37c4e39
      • Instruction Fuzzy Hash: 92F0B475200609AFDF009F94CC49BAE3BA2FF14395F108018FD0649252D330C7A9EB10

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 162 657c70-657c7e 163 657c84-657c8b 162->163 164 657c90 162->164 165 657c97-657ca3 call 653521 163->165 164->165 168 657cbe-657cce call 657c22 165->168 169 657ca9-657cb3 call 657b7d 165->169 175 657cd4-657cdb 168->175 176 657ce0-657cee call 653c33 168->176 169->168 174 657cb9 169->174 177 657cff-657d04 174->177 175->177 176->177 183 657cf4-657cf5 call 655477 176->183 180 657d2d-657d42 CreateFileA 177->180 181 657d0a-657d28 CreateFileW 177->181 182 657d48-657d49 180->182 181->182 184 657d4e-657d55 call 6535cc 182->184 187 657cfa 183->187 187->184
      APIs
      • CreateFileW.KERNELBASE(00CBA294,?,?,-11E55FEC,?,?,?,-11E55FEC,?), ref: 00657D22
        • Part of subcall function 00657C22: IsBadWritePtr.KERNEL32(?,00000004), ref: 00657C30
      • CreateFileA.KERNEL32(?,?,?,-11E55FEC,?,?,?,-11E55FEC,?), ref: 00657D42
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CreateFile$Write
      • String ID:
      • API String ID: 1125675974-0
      • Opcode ID: f61c2e06e683b0a380ea46deb8a1719f9aefb78ef65ee3fd2fbf270a136faaef
      • Instruction ID: a0759b0c622735f92c8c358b86152f0efecedab200881b42334f63b033dfb78f
      • Opcode Fuzzy Hash: f61c2e06e683b0a380ea46deb8a1719f9aefb78ef65ee3fd2fbf270a136faaef
      • Instruction Fuzzy Hash: 6111E47100954AFEDF129F90EE09BEE3A73BF14346F144119BD0625160C7768AAAEB91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 189 6575dc-6575f2 call 653521 GetCurrentProcess 192 657634-657656 call 6535cc DuplicateHandle 189->192 193 6575f8-6575fb 189->193 199 657660-657662 192->199 193->192 194 657601-657604 193->194 194->192 196 65760a-65761d call 65337b 194->196 196->192 201 657623-65765b call 655379 call 6535cc 196->201 201->199
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      • GetCurrentProcess.KERNEL32(-11E55FEC), ref: 006575E9
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0065764F
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: Current$DuplicateHandleProcessSleepThread
      • String ID:
      • API String ID: 2846201637-0
      • Opcode ID: eec1a73018c14433f1acf0a8d716648c67b84d7a3cf19e9a06ede82a19ffd6a6
      • Instruction ID: 1c11f2669e7146c9c6584f0955eb019ef937774ce0f9068c5f7f0784cb6e9a31
      • Opcode Fuzzy Hash: eec1a73018c14433f1acf0a8d716648c67b84d7a3cf19e9a06ede82a19ffd6a6
      • Instruction Fuzzy Hash: 9801FB3210494AEB8F526FA8EC04CEE3F76FFA9796F004115FD0591111D731C66AEB65

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 206 653521-653537 GetCurrentThreadId 207 653539-653545 206->207 208 653580-65358d call 65a3a0 207->208 209 65354b-65354d 207->209 209->208 210 653553-65355a 209->210 212 653560-653567 210->212 213 65356f-65357b Sleep 210->213 212->213 215 65356d 212->215 213->207 215->213
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00653530
      • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CurrentSleepThread
      • String ID:
      • API String ID: 1164918020-0
      • Opcode ID: f29c62eb83914e6727531ba09a41890bd4507768afd5e8a9c73ca1463c029afc
      • Instruction ID: 14043e96e4dff824890e4aa036696499f90f3843cc4659a141a6c0aad704777e
      • Opcode Fuzzy Hash: f29c62eb83914e6727531ba09a41890bd4507768afd5e8a9c73ca1463c029afc
      • Instruction Fuzzy Hash: 70F0B471501605FBE721DFA4C8447AEB3B6FF4175BF20117DD50186350E7741E49DA91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 216 656275-656294 call 653521 call 65337b 221 6562aa-6562ba call 6535cc CloseHandle 216->221 222 65629a-65629b call 655361 216->222 228 6562c4-6562c6 221->228 225 6562a0-6562bf call 6535cc 222->225 225->228
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      • CloseHandle.KERNELBASE(?,-11E55FEC,?,?,00655C38,?), ref: 006562B3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CloseCurrentHandleSleepThread
      • String ID: 8\e
      • API String ID: 4003616898-4277136053
      • Opcode ID: eebef50f81128450274ce63f6eeed6ecb1a7167f57bc8277841d1f7b531353e8
      • Instruction ID: 55989a65de923b1b3db2317f3804eb10249d65bd41217efb22bc1af8c3655487
      • Opcode Fuzzy Hash: eebef50f81128450274ce63f6eeed6ecb1a7167f57bc8277841d1f7b531353e8
      • Instruction Fuzzy Hash: 53E0D862504906A5DE5037B4CC09C4F3A26EF95B8AF000125BC0245112DA60C35FC624

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 246 6628bb-6628c9 247 6628cf-6628e1 246->247 248 6628ec-6628f6 call 662750 246->248 247->248 252 6628e7 247->252 253 662901-66290a 248->253 254 6628fc 248->254 255 662a4b-662a4d 252->255 256 662922-662929 253->256 257 662910-662917 253->257 254->255 258 662934-662944 256->258 259 66292f 256->259 257->256 260 66291d 257->260 258->255 261 66294a-662956 call 662825 258->261 259->255 260->255 264 662959-66295d 261->264 264->255 265 662963-66296d 264->265 266 662994-662997 265->266 267 662973-662986 265->267 268 66299a-66299d 266->268 267->266 272 66298c-66298e 267->272 270 662a43-662a46 268->270 271 6629a3-6629aa 268->271 270->264 273 6629b0-6629b6 271->273 274 6629d8-6629f1 271->274 272->266 272->270 275 6629d3 273->275 276 6629bc-6629c1 273->276 280 6629f7-662a05 274->280 281 662a0a-662a12 VirtualProtect 274->281 278 662a3b-662a3e 275->278 276->275 277 6629c7-6629cd 276->277 277->274 277->275 278->268 282 662a18-662a1b 280->282 281->282 282->278 284 662a21-662a3a 282->284 284->278
      Memory Dump Source
      • Source File: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6cba31ad67c5304dd34bc0c01db78fdcfdf6820418f772385c567af188147850
      • Instruction ID: 9ed984ff04173cb7a7db7174511aff69a3ced77942c7c658b0c7e70bc89543f3
      • Opcode Fuzzy Hash: 6cba31ad67c5304dd34bc0c01db78fdcfdf6820418f772385c567af188147850
      • Instruction Fuzzy Hash: 11419D72D00A0BEFEB35CF50C854BEE7BB6FB40310F248559E502AA692C771AC91DB91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 286 5fdcce-5fdcd0 LoadLibraryA 287 5fdcdd-5fde3a 286->287
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: faca1dd29f478728cd9871c84aaf2939ae438d74225981b1757100669a5b9825
      • Instruction ID: fece5b404d8e20cfe584bb67f5245d7a02ce5d86f696eb5e48eb44026b8c4658
      • Opcode Fuzzy Hash: faca1dd29f478728cd9871c84aaf2939ae438d74225981b1757100669a5b9825
      • Instruction Fuzzy Hash: 973147F251C614AFE341AF19DC816BAFBEAEF98750F06492DE2C4C3610E67588418B97
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00655D10
        • Part of subcall function 006535FF: RtlAllocateHeap.NTDLL(00000000,00000000,006532A8,?,?,006532A8,00000008), ref: 00653619
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocateCreateFileHeap
      • String ID:
      • API String ID: 3125202945-0
      • Opcode ID: 52bb7b599174c793388f32d7bcd7f51e859eaa06510dbf59540231b8f614cc70
      • Instruction ID: e6b0d66d468c51710a98dc9845b6fd4b5464e80d480f8d3f877e3f3b3d25dfb6
      • Opcode Fuzzy Hash: 52bb7b599174c793388f32d7bcd7f51e859eaa06510dbf59540231b8f614cc70
      • Instruction Fuzzy Hash: E431C071900604FEEB209F60DC4DFADBBB9FF04715F208229F906AA291D7719A4ACB54
      APIs
        • Part of subcall function 006535FF: RtlAllocateHeap.NTDLL(00000000,00000000,006532A8,?,?,006532A8,00000008), ref: 00653619
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 006554F9
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocateCreateFileHeap
      • String ID:
      • API String ID: 3125202945-0
      • Opcode ID: 20a053188d6c3a9464be28ff79873f8ed6b6d35f0856857ffca7183688f207f1
      • Instruction ID: fd8ae95e6bc0ef2e261d8e5e8612f6d49710b6e2bd1ad393e7a7419431849a37
      • Opcode Fuzzy Hash: 20a053188d6c3a9464be28ff79873f8ed6b6d35f0856857ffca7183688f207f1
      • Instruction Fuzzy Hash: D8313971500B04BEEB209F64DC49F9D77BAFF04725F204229FA12AA1D1D3B1A645CB54
      APIs
      • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 006626B5
      Memory Dump Source
      • Source File: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: FileModuleName
      • String ID:
      • API String ID: 514040917-0
      • Opcode ID: ee20e6568aa4899ef570e626a8b1b11516d95a80e04b4246bd155ef3350bb72b
      • Instruction ID: 22e90c3bedcd129c9a61b749eb76feafba030b68ea1d7873e0a96eb3b107b2d1
      • Opcode Fuzzy Hash: ee20e6568aa4899ef570e626a8b1b11516d95a80e04b4246bd155ef3350bb72b
      • Instruction Fuzzy Hash: 2B11D072A05A6BABEF349A14CC68BEB776DEF14714F104096E845E2241D7B09DC0CBA0
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D40DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 52bf0e50f98e95f9a76eefe04918dad1489bd05b36625a7352a44c1ff6012c13
      • Instruction ID: ca6944c3bc6cd6e2c79755989e80fdbf63dc2d28381ea838c84f4dd77bc39bde
      • Opcode Fuzzy Hash: 52bf0e50f98e95f9a76eefe04918dad1489bd05b36625a7352a44c1ff6012c13
      • Instruction Fuzzy Hash: 8B2133B6C012089FCB11CFA9D884ADEFBB4FF88310F14811ADA08AB205D738A544CFA5
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D40DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 9cbfc5883088d8ec36cec135ace5e18b520956406de71904c29458ae0fc17330
      • Instruction ID: 258e8abbb4c9cfe55dd3144da2ab3f8d84e02542fcdc6debdb71b0009ab14122
      • Opcode Fuzzy Hash: 9cbfc5883088d8ec36cec135ace5e18b520956406de71904c29458ae0fc17330
      • Instruction Fuzzy Hash: 1E2124B6C012189FCB50CF99D884ADEFBF4FF88310F14851AD908AB204D734A544CFA5
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04D41580
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 56d3d47d35cee5c7d3d45f01514abd02f0bb04e3887086e7e737c238c3d168fc
      • Instruction ID: 7cee84f3aaf03ea696d555b0f2533135fc6a55ab43daff8d695649632f9d645a
      • Opcode Fuzzy Hash: 56d3d47d35cee5c7d3d45f01514abd02f0bb04e3887086e7e737c238c3d168fc
      • Instruction Fuzzy Hash: 6B11E4B19002499FDB10CF9AD588BDEFBF4FB48320F10842AE559A3250D378A684CFA5
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04D41580
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: db32cab8bdfa4018bcc63aa48dd516ab7ee9176eb9fe99a371b5682d3b2e0dc3
      • Instruction ID: 408984e737994a2406a0a58fc463a0410246224b2e5ac4be6ddcedd092accbfc
      • Opcode Fuzzy Hash: db32cab8bdfa4018bcc63aa48dd516ab7ee9176eb9fe99a371b5682d3b2e0dc3
      • Instruction Fuzzy Hash: 182117B5900249CFDB10CF9AC544BDEFBF4FB48310F14842AE558A7250C378A584CFA5
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 04D41367
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 02c250703dbbe0f8660e4e9f0a18a17e0f80089b038b1a5d092da37d0ec964a4
      • Instruction ID: dfb769e8ad11ba00561a83c236016a4128b4746e2811ec1842efe90f71fe4207
      • Opcode Fuzzy Hash: 02c250703dbbe0f8660e4e9f0a18a17e0f80089b038b1a5d092da37d0ec964a4
      • Instruction Fuzzy Hash: 1E1125B1800249CFDB10DF9AD449BEEFBF4EF48324F24846AD558A3250D778A584CFA5
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 04D41367
      Memory Dump Source
      • Source File: 00000000.00000002.2332262216.0000000004D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4d40000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 01035b47e2ecbc648575d2c0d56b8fa2e98f67f2452b0f0680746b9310736715
      • Instruction ID: d0c7e42e80d574a931668d9b3cee350576e814df2e401cf6c06402b048437b37
      • Opcode Fuzzy Hash: 01035b47e2ecbc648575d2c0d56b8fa2e98f67f2452b0f0680746b9310736715
      • Instruction Fuzzy Hash: 691148B1800249CFDB10CF9AC448BDEFBF8EF48320F14841AD558A3240C778A584CFA5
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      • ReadFile.KERNELBASE(?,00000400,?,?,00655BA3,-11E55FEC,?,?,00655BA3,?,?,00000400,?,00000000), ref: 00657EE0
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CurrentFileReadSleepThread
      • String ID:
      • API String ID: 1253362762-0
      • Opcode ID: 9976747a6bbf9171aa490a96705c280dedfaeb13746baccd63542ddef2b69060
      • Instruction ID: 3907baf55acb50a58a49629bdf85d5d0281deb913ceaa25ed7d23b10ec461e50
      • Opcode Fuzzy Hash: 9976747a6bbf9171aa490a96705c280dedfaeb13746baccd63542ddef2b69060
      • Instruction Fuzzy Hash: 95F03C3210460AEBCF12AF94DC0AD9E3F67FF58746F004455FD0155121D732CAAAEB61
      APIs
      • GetProcAddress.KERNEL32(0065460D,0065460D), ref: 00654EA2
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AddressProc
      • String ID:
      • API String ID: 190572456-0
      • Opcode ID: 728c60800bbd137f0fd0fbac09fdab5b45512a555c002c71fa07c74f3bfb87a8
      • Instruction ID: 18518faa8702b8a3dd437fa82cd99e8c8cdcb0ce95ad47af25cfa0fb63a2260a
      • Opcode Fuzzy Hash: 728c60800bbd137f0fd0fbac09fdab5b45512a555c002c71fa07c74f3bfb87a8
      • Instruction Fuzzy Hash: 54E06D35100155BACF913B75CD0B89E3A27BF5039EF0080A5BC0554066DF31C79AD629
      APIs
      • RtlAllocateHeap.NTDLL(00000000,00000000,006532A8,?,?,006532A8,00000008), ref: 00653619
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 3de5514871acdf1b2eee8b4176a70c18c4cdcbbe50a4edd998cde72ef82964e3
      • Instruction ID: d5d4d66781326a7538ead1693d652ea0d3e6deadf3d7d4a6350c683ecbc5b5a1
      • Opcode Fuzzy Hash: 3de5514871acdf1b2eee8b4176a70c18c4cdcbbe50a4edd998cde72ef82964e3
      • Instruction Fuzzy Hash: F9D01272200245B7DA205E59DC09FDF7ABCEB85F91F000129F90390140DB75E061C7B8
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 4ae40edb47c3193f0fe807b400e3f430b0943d91f19366edfb193dc9e323ca24
      • Instruction ID: bffdf3a353b05fa62079b6a2997a67cbd4b1eb1540339583b809669840ce6a0e
      • Opcode Fuzzy Hash: 4ae40edb47c3193f0fe807b400e3f430b0943d91f19366edfb193dc9e323ca24
      • Instruction Fuzzy Hash: 7AD017B1808B608FD3446FB8854802EBBF4EE05640F16092EE886D3100D73089808B83
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: lstrcmpi
      • String ID:
      • API String ID: 1586166983-0
      • Opcode ID: 55605f88b21546327e0d72bcd3836f55d6831da5e9bfb94f2105e2eba85c71e3
      • Instruction ID: 97fd0db0c625fcad5da829ac1a853a663cd35886890a9dbc670cc6a8801f114b
      • Opcode Fuzzy Hash: 55605f88b21546327e0d72bcd3836f55d6831da5e9bfb94f2105e2eba85c71e3
      • Instruction Fuzzy Hash: 8C01E875A0011DBFDF119FA5CC04DDEBBB6FF48B82F000569A805A5260D7328665DB64
      APIs
      • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0066222E,?,?,00661F34,?,?,00661F34,?,?,00661F34), ref: 00662252
      Memory Dump Source
      • Source File: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 0308d0231388f71a0df5268f132c4a1bee01ba6c5042fa262e96bf0d8abd431d
      • Instruction ID: cf0f281169236f85100b39823b34621b5b96d7372acc6aad96f8b00b07c59524
      • Opcode Fuzzy Hash: 0308d0231388f71a0df5268f132c4a1bee01ba6c5042fa262e96bf0d8abd431d
      • Instruction Fuzzy Hash: 0BF0F4B2904606EFE724CF05CD19B99BBE9FF44751F108024F44A9BA91D3B198C1CB50
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 0047EC6B
      Memory Dump Source
      • Source File: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 066d6c13e47d586e0910f559b68198382ad949cf38a86eab86280f43bd543cfc
      • Instruction ID: 49760ea509f45943ea71f4c678a0f8fbfcfbb9620a081b195dd3bb5498d6d85c
      • Opcode Fuzzy Hash: 066d6c13e47d586e0910f559b68198382ad949cf38a86eab86280f43bd543cfc
      • Instruction Fuzzy Hash: 3EF0E7B440CB08DFD3106F1AC8846BEFBF4FF19310F2149AEDAC982240E67908569A1B
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 0047EDA1
      Memory Dump Source
      • Source File: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a4d09a6531ebfed9447d962357d5274f0ecb06f671e51018af4831c3080c5cff
      • Instruction ID: fd5ddad3ead4a8f1da38e2feaf02a93184a428ffc0f94a1d8310deebb350271f
      • Opcode Fuzzy Hash: a4d09a6531ebfed9447d962357d5274f0ecb06f671e51018af4831c3080c5cff
      • Instruction Fuzzy Hash: 42D0CA7000824ECBEB546F7084082EE3B70EF0A325F20838AAC6A81AC0C6364C619E0A
      APIs
      • CloseHandle.KERNELBASE(?,?,006533C0,?,?), ref: 00655340
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: a2b2551c0bf19f575bf6a055c13029d24f77772675d56671afb9cd45211e0ba2
      • Instruction ID: 4fc581b6be47838980ae968f97ecd9cb25075c2fcedb45b410959c5c9fceb2d5
      • Opcode Fuzzy Hash: a2b2551c0bf19f575bf6a055c13029d24f77772675d56671afb9cd45211e0ba2
      • Instruction Fuzzy Hash: A9B09B3100050977CB417F51DC0585D7F65FF11355F008114B91A54021C771D57497D4
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
      • GetSystemTime.KERNEL32(?,-11E55FEC), ref: 006576A3
      • GetFileTime.KERNEL32(?,?,?,?,-11E55FEC), ref: 006576E6
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: Time$CurrentFileSleepSystemThread
      • String ID:
      • API String ID: 3818558864-0
      • Opcode ID: 507561aa659e1473892ff836078ac20f13a7782be602e865d66c29dabb69f64e
      • Instruction ID: f2066898f2066ac4bcd1e45160bb752925bcba24f8e45e88c76034a12a53fe92
      • Opcode Fuzzy Hash: 507561aa659e1473892ff836078ac20f13a7782be602e865d66c29dabb69f64e
      • Instruction Fuzzy Hash: AD01E83620494AEBCF215F59EC08D8E7F76FF99756F008125F80245161D732DAA6DF21
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID:
      • String ID: NTDL
      • API String ID: 0-3662016964
      • Opcode ID: 37be0c7292889931488a87b059c2016bd26ce24c30064ba64e6625641ff2e462
      • Instruction ID: b388e21532d2b4643b671f80d00616ba223c822e1eaf5a1478763eca86c01fa4
      • Opcode Fuzzy Hash: 37be0c7292889931488a87b059c2016bd26ce24c30064ba64e6625641ff2e462
      • Instruction Fuzzy Hash: 6E71B27690420ECBDB05CF27C5411DF37A1EB5E324F24C2AFD80987A82D2BA4D66DA5D
      APIs
        • Part of subcall function 00653521: GetCurrentThreadId.KERNEL32 ref: 00653530
        • Part of subcall function 00653521: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00653573
        • Part of subcall function 00657C22: IsBadWritePtr.KERNEL32(?,00000004), ref: 00657C30
      • wsprintfA.USER32 ref: 00656BEA
      • LoadImageA.USER32(?,?,?,?,?,?), ref: 00656CAE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: CurrentImageLoadSleepThreadWritewsprintf
      • String ID: %8x$%8x
      • API String ID: 2375920415-2046107164
      • Opcode ID: 14d7a2a80b7a5235a2072e601777cc24adef240a33422bb50100e60bdf1fc3c3
      • Instruction ID: a409ea0f81c3e712c480a2d48b519be39d7749cb4cfe0f5f75d22a78b1f55193
      • Opcode Fuzzy Hash: 14d7a2a80b7a5235a2072e601777cc24adef240a33422bb50100e60bdf1fc3c3
      • Instruction Fuzzy Hash: 9831493190010AFFDF119F94DC09EEEBBBAFF48701F108129F911A61A0D7319A65DB61
      APIs
      • GetFileAttributesExW.KERNEL32(00CBA294,00004020,00000000,-11E55FEC), ref: 00657862
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2328287800.000000000064E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
      • Associated: 00000000.00000002.2327559229.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327587918.0000000000472000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327617144.0000000000476000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327646943.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327681748.0000000000484000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327710441.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327733406.0000000000486000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327943262.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2327972184.00000000005E0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328012405.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328038591.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.00000000005FF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328061835.0000000000607000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328106983.0000000000612000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328129393.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328157050.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328178010.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328199070.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328220092.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328263882.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328310641.0000000000658000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328335376.000000000065A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328380336.000000000066D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328407424.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328431005.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328453965.0000000000679000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328479855.000000000067A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328503575.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328535104.0000000000693000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328560476.0000000000696000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328584034.0000000000697000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328608964.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328634676.00000000006A1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328658708.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328682807.00000000006A9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328706373.00000000006AB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328735153.00000000006B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328757962.00000000006B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328780727.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328801844.00000000006C9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328822338.00000000006CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328849988.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328872754.00000000006D5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328893490.00000000006D8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328933002.0000000000709000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328967672.000000000070A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.0000000000716000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2328995837.000000000071C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329050784.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2329076534.000000000072E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_470000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 7289af328df79ca05b66cd95e85abbea15924d64e3cf113028c9bd3da4550b5e
      • Instruction ID: 9aa1aefc3edd96003ff020ef6fc6d8add7db7fc0726f468ad3b1596e5c0eab8e
      • Opcode Fuzzy Hash: 7289af328df79ca05b66cd95e85abbea15924d64e3cf113028c9bd3da4550b5e
      • Instruction Fuzzy Hash: 82319C75508705EFDB248F54EC48B8ABBB2FF08351F008529E85667250C3B1EAA9DF80