Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559390
MD5:bd8bd8ac55f48657780d6ff5570f98ce
SHA1:cd99112e246d966339be39c6b3332eeeac90105c
SHA256:9fe8f85118b90bf8fdd24659d34a1210ce35ff94fd6f52ff5e7d2dbe1f624d5e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BD8BD8AC55F48657780D6FF5570F98CE)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055F20F CryptVerifySignatureA,0_2_0055F20F
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2129352020.00000000050E0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005020000_2_00502000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005285740_2_00528574
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0055A204 appears 35 times
Source: file.exe, 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2263497294.000000000130E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2756608 > 1048576
Source: file.exeStatic PE information: Raw size of ywhttfna is bigger than: 0x100000 < 0x29b000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2129352020.00000000050E0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.380000.0.unpack :EW;.rsrc:W;.idata :W;ywhttfna:EW;mpyioxor:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2afd16 should be: 0x2af402
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ywhttfna
Source: file.exeStatic PE information: section name: mpyioxor
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D push edi; mov dword ptr [esp], 32FFCE2Eh0_2_005060EB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D push esi; mov dword ptr [esp], 3F6FF761h0_2_00506112
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D push ebp; mov dword ptr [esp], edi0_2_00506141
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D push eax; mov dword ptr [esp], edi0_2_005061DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D push eax; mov dword ptr [esp], edx0_2_005061F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E3CA push 3E9981BBh; mov dword ptr [esp], ebp0_2_0038E97F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038C010 push ebx; mov dword ptr [esp], esi0_2_0038C02A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051206E push eax; mov dword ptr [esp], ebx0_2_0051207D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038C07A push 758380C8h; mov dword ptr [esp], esp0_2_0038C091
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039007A push eax; mov dword ptr [esp], ecx0_2_0039110B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039007A push ebx; mov dword ptr [esp], 756B4547h0_2_003931C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038D07D push cs; retf 0_2_0038D099
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 2AE1E553h; mov dword ptr [esp], ebx0_2_00502089
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 72AFE392h; mov dword ptr [esp], edi0_2_005020E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 1AC771C4h; mov dword ptr [esp], ecx0_2_005021F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push ebp; mov dword ptr [esp], edx0_2_00502221
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push edx; mov dword ptr [esp], ebp0_2_00502225
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 06E888FAh; mov dword ptr [esp], esi0_2_005022D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push edi; mov dword ptr [esp], 3B5A030Ah0_2_0050230A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push edi; mov dword ptr [esp], 33904544h0_2_00502378
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push ecx; mov dword ptr [esp], eax0_2_0050238F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push esi; mov dword ptr [esp], ebp0_2_0050244B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push ecx; mov dword ptr [esp], ebp0_2_00502461
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 13D30B09h; mov dword ptr [esp], esp0_2_005024FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00502000 push 541E105Dh; mov dword ptr [esp], ebx0_2_0050252E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00512000 push edx; mov dword ptr [esp], esi0_2_005125AB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00587004 push edx; mov dword ptr [esp], eax0_2_0058702C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00513024 push ecx; mov dword ptr [esp], 74F35F29h0_2_00513032
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393043 push 3B8B9AD2h; mov dword ptr [esp], esi0_2_00395158
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050402F push 153F3522h; mov dword ptr [esp], ebx0_2_0050421F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050C0DB push 195CAE26h; mov dword ptr [esp], edi0_2_0050C137
Source: file.exeStatic PE information: section name: entropy: 7.815000576313311

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506DCF second address: 506DE1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F995CCAC598h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505DE3 second address: 505DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50607D second address: 5060DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F995CCAC596h 0x0000000a jmp 00007F995CCAC5A4h 0x0000000f jmp 00007F995CCAC5A3h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F995CCAC5A5h 0x0000001c jmp 00007F995CCAC5A6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5064EC second address: 5064F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508992 second address: 508996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508996 second address: 508A30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 70A3A196h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F995D15D9E8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a jmp 00007F995D15D9F8h 0x0000002f push 00000003h 0x00000031 push eax 0x00000032 and edi, 2BD07653h 0x00000038 pop esi 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F995D15D9E8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D23AAh], edi 0x0000005b push 00000003h 0x0000005d call 00007F995D15D9E9h 0x00000062 pushad 0x00000063 pushad 0x00000064 jo 00007F995D15D9E6h 0x0000006a push edx 0x0000006b pop edx 0x0000006c popad 0x0000006d push edi 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508A30 second address: 508A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jo 00007F995CCAC5ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508A41 second address: 508A5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508A5B second address: 508A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508B1C second address: 508BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9EBh 0x00000009 popad 0x0000000a jmp 00007F995D15D9EBh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F995D15D9F3h 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D1E15h], eax 0x0000001d push 00000000h 0x0000001f add dword ptr [ebp+122D34E8h], edi 0x00000025 add dword ptr [ebp+122D1C4Eh], ebx 0x0000002b call 00007F995D15D9E9h 0x00000030 jno 00007F995D15DA00h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F995D15D9F5h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508BA2 second address: 508BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508BA7 second address: 508BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F995D15D9E6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push edx 0x00000019 jg 00007F995D15D9E6h 0x0000001f pop edx 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 push esi 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508D49 second address: 508D6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, eax 0x0000000a push 00000000h 0x0000000c push 5836A853h 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F995CCAC5A1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528509 second address: 528531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jmp 00007F995D15D9F3h 0x0000000f je 00007F995D15D9E6h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528531 second address: 52855F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Eh 0x00000007 jmp 00007F995CCAC5A7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52855F second address: 52856C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F995D15D9EEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526523 second address: 526531 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526531 second address: 526535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526535 second address: 52654F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F995CCAC596h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F995CCAC596h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52654F second address: 52656B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5266AA second address: 5266C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F995CCAC5A2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5266C2 second address: 5266C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526C10 second address: 526C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC5A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F995CCAC5A4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526C3C second address: 526C4C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007F995D15D9E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526DC6 second address: 526DD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995CCAC59Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526DD6 second address: 526DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995D15D9EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526DE4 second address: 526DEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526F0A second address: 526F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F995D15D9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526F14 second address: 526F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527089 second address: 5270A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F995D15D9E6h 0x0000000a jmp 00007F995D15D9EAh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270A2 second address: 5270AF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FB55 second address: 51FB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9F6h 0x00000009 jmp 00007F995D15D9EFh 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51FB83 second address: 51FBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F995CCAC596h 0x0000000c popad 0x0000000d jc 00007F995CCAC5A8h 0x00000013 jmp 00007F995CCAC5A0h 0x00000018 push edi 0x00000019 pop edi 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jng 00007F995CCAC596h 0x00000023 popad 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECB14 second address: 4ECB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9F7h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F995D15D9F2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 jmp 00007F995D15D9F7h 0x0000001a pop edi 0x0000001b jne 00007F995D15D9ECh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52806A second address: 528072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528072 second address: 528078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528078 second address: 528089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007F995CCAC5A0h 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528383 second address: 528387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528387 second address: 5283C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC5A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jng 00007F995CCAC59Ch 0x00000013 pushad 0x00000014 jmp 00007F995CCAC5A4h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EAF9B second address: 4EAFA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F995D15D9E6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EAFA7 second address: 4EAFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F90C second address: 52F912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E3B9 second address: 52E3BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECB68 second address: 4ECB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53518A second address: 5351A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F995CCAC5A0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5352E0 second address: 53533C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jno 00007F995D15D9ECh 0x0000000b jmp 00007F995D15D9F9h 0x00000010 popad 0x00000011 jg 00007F995D15DA19h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F995D15D9EDh 0x0000001f jmp 00007F995D15D9F6h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535595 second address: 53559B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53580C second address: 535810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535810 second address: 535832 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F995CCAC5A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535832 second address: 53583F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F995D15D9E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5379E0 second address: 537A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F995CCAC5A2h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A01 second address: 537A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A11 second address: 537A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A15 second address: 537A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A1B second address: 537A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995CCAC5A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A2F second address: 537A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A33 second address: 537A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jp 00007F995CCAC5B7h 0x00000012 pushad 0x00000013 jmp 00007F995CCAC5A9h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537A61 second address: 537AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007F995D15D9E8h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 or dword ptr [ebp+122D2EB6h], edx 0x00000026 call 00007F995D15D9E9h 0x0000002b push eax 0x0000002c push edx 0x0000002d jne 00007F995D15D9E6h 0x00000033 pop edx 0x00000034 pop eax 0x00000035 push eax 0x00000036 pushad 0x00000037 push ecx 0x00000038 jmp 00007F995D15D9EFh 0x0000003d pop ecx 0x0000003e jl 00007F995D15D9F3h 0x00000044 jmp 00007F995D15D9EDh 0x00000049 popad 0x0000004a mov eax, dword ptr [esp+04h] 0x0000004e pushad 0x0000004f push eax 0x00000050 push ecx 0x00000051 pop ecx 0x00000052 pop eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537AD3 second address: 537AE4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538056 second address: 53805A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53805A second address: 53805E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53805E second address: 53806F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F995D15DA00h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5381C5 second address: 5381CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5381CC second address: 5381E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F995D15D9F0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5386DB second address: 5386E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5388A5 second address: 5388AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5388AA second address: 5388B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5389B7 second address: 5389BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A74 second address: 538A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538B46 second address: 538B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53912B second address: 5391D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F995CCAC5A5h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F995CCAC598h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122DB710h], edi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F995CCAC598h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d jmp 00007F995CCAC5A1h 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 jbe 00007F995CCAC5A8h 0x0000005b jmp 00007F995CCAC5A2h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5391D0 second address: 5391ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F995D15D9E8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539C36 second address: 539C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539C3A second address: 539C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539C3E second address: 539CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F995CCAC598h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push edi 0x00000025 pushad 0x00000026 mov edi, 413037EFh 0x0000002b je 00007F995CCAC596h 0x00000031 popad 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 mov si, 69A1h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007F995CCAC598h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 sub dword ptr [ebp+122D270Ah], ecx 0x0000005b xchg eax, ebx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F995CCAC59Bh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AE05 second address: 53AE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D2C7 second address: 53D2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F995CCAC596h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C03D second address: 53C064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F995D15D9F5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D2D8 second address: 53D2DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D2DC second address: 53D2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53FC33 second address: 53FC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53FC37 second address: 53FC3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542565 second address: 54256B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A2D second address: 542A45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995D15D9ECh 0x00000008 jc 00007F995D15D9E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A45 second address: 542A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A4A second address: 542A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543A17 second address: 543A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543A1C second address: 543A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5469E8 second address: 5469EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547A06 second address: 547A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995D15D9F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542C02 second address: 542C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547AC5 second address: 547AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F995D15D9E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B1B second address: 549B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548D80 second address: 548D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B1F second address: 549B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B23 second address: 549B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548D85 second address: 548D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548D8B second address: 548D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AAC3 second address: 54AB27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b ja 00007F995CCAC598h 0x00000011 pop esi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F995CCAC598h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jne 00007F995CCAC599h 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D370Ah] 0x0000003b push 00000000h 0x0000003d mov edi, dword ptr [ebp+122D307Ch] 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F995CCAC59Bh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB5D second address: 54BB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB63 second address: 54BB85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F995CCAC5A7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CB6B second address: 54CBD8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F995D15D9E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F995D15D9F6h 0x00000012 pop ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F995D15D9E8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f add dword ptr [ebp+122D23AFh], edx 0x00000035 push 00000000h 0x00000037 call 00007F995D15D9F7h 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jg 00007F995D15D9E8h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CBD8 second address: 54CBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DA58 second address: 54DA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FB1B second address: 54FB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC59Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FB2A second address: 54FB31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ECB7 second address: 54ECBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551A8B second address: 551A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551A9E second address: 551B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F995CCAC598h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F995CCAC598h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F995CCAC598h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e jmp 00007F995CCAC5A7h 0x00000063 mov dword ptr [ebp+122D34A7h], eax 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56505A second address: 565064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F995D15D9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565341 second address: 56534A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56534A second address: 56534E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56534E second address: 565352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DFB7 second address: 56DFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8A1D second address: 4F8A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57136C second address: 571371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571371 second address: 571376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 571376 second address: 57139E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9F7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57139E second address: 5713BB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F995CCAC59Ah 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5713BB second address: 5713C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5713C0 second address: 5713E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F995CCAC5A4h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5713E9 second address: 5713F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F995D15D9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5714E0 second address: 57151B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F995CCAC5A6h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F995CCAC5A0h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F995CCAC596h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57151B second address: 57152F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F995D15D9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57152F second address: 571536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575AAD second address: 575ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9EAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575ABC second address: 575AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575AC2 second address: 575AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575AC8 second address: 575AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC5A6h 0x00000007 jmp 00007F995CCAC5A4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576380 second address: 57639C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F995D15D9F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57639C second address: 5763A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763A6 second address: 5763AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763AC second address: 5763B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763B2 second address: 5763B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763B6 second address: 5763F7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F995CCAC596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F995CCAC5A5h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F995CCAC5A8h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763F7 second address: 5763FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5763FB second address: 576403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576403 second address: 576419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995D15D9F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576C0B second address: 576C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A4 second address: 5360CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007F995D15D9E6h 0x00000011 jmp 00007F995D15D9F6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CC second address: 5360D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F995CCAC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360D6 second address: 536111 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F995D15D9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d lea eax, dword ptr [ebp+1247BE71h] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F995D15D9E8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov ecx, dword ptr [ebp+122D37AEh] 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536111 second address: 536116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536116 second address: 51FB55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jns 00007F995D15D9EBh 0x00000012 call dword ptr [ebp+122D349Ah] 0x00000018 jng 00007F995D15DA24h 0x0000001e jmp 00007F995D15D9F1h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536768 second address: 5367A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F995CCAC5A2h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F995CCAC5A8h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5367A3 second address: 5367A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5367A7 second address: 536839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F995CCAC59Ch 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push edi 0x00000015 pushad 0x00000016 jmp 00007F995CCAC5A5h 0x0000001b jng 00007F995CCAC596h 0x00000021 popad 0x00000022 pop edi 0x00000023 pop eax 0x00000024 pushad 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D1CF2h], ecx 0x0000002c mov esi, dword ptr [ebp+122D3782h] 0x00000032 popad 0x00000033 mov edi, dword ptr [ebp+122D346Eh] 0x00000039 popad 0x0000003a call 00007F995CCAC599h 0x0000003f push ebx 0x00000040 jmp 00007F995CCAC5A5h 0x00000045 pop ebx 0x00000046 push eax 0x00000047 push ebx 0x00000048 pushad 0x00000049 jne 00007F995CCAC596h 0x0000004f jng 00007F995CCAC596h 0x00000055 popad 0x00000056 pop ebx 0x00000057 mov eax, dword ptr [esp+04h] 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push edx 0x0000005f pop edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536839 second address: 536848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536848 second address: 53685B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995CCAC59Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53685B second address: 53685F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536D25 second address: 536D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC59Ah 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F995CCAC5A2h 0x00000012 nop 0x00000013 mov ecx, dword ptr [ebp+122D3762h] 0x00000019 push 00000004h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F995CCAC598h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 jns 00007F995CCAC599h 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F995CCAC5A2h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536D92 second address: 536DA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F995D15D9E6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537208 second address: 53720C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53750D second address: 537513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537636 second address: 52068D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a xor di, 2302h 0x0000000f lea eax, dword ptr [ebp+1247BE71h] 0x00000015 sub ecx, dword ptr [ebp+122D38BAh] 0x0000001b nop 0x0000001c push edi 0x0000001d jmp 00007F995CCAC59Eh 0x00000022 pop edi 0x00000023 push eax 0x00000024 push ecx 0x00000025 jnp 00007F995CCAC598h 0x0000002b pop ecx 0x0000002c nop 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F995CCAC598h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 jmp 00007F995CCAC5A8h 0x0000004c call dword ptr [ebp+122D2EEFh] 0x00000052 push ecx 0x00000053 push eax 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 pushad 0x00000057 popad 0x00000058 pop eax 0x00000059 pop ecx 0x0000005a jnp 00007F995CCAC5BFh 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52068D second address: 520697 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F995D15D9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A586 second address: 57A594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F995CCAC5A7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57AB42 second address: 57AB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57AB48 second address: 57AB52 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57AB52 second address: 57AB5C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F995D15DA04h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582472 second address: 58247C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F995CCAC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58247C second address: 58249A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995D15D9F8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58249A second address: 5824A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5824A1 second address: 5824AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582891 second address: 582895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582895 second address: 5828B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995D15D9F7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5828B2 second address: 5828C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F995CCAC59Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5828C2 second address: 5828D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5828D1 second address: 5828D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582DFE second address: 582E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582F95 second address: 582F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 582F99 second address: 582F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581E6E second address: 581E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F995CCAC596h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D12D second address: 58D15C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F995D15D9F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F995D15D9E6h 0x00000016 jmp 00007F995D15D9EBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D15C second address: 58D168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F995CCAC596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BF83 second address: 58BFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F995D15D9EFh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F995D15D9E6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F995D15D9F4h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BFBB second address: 58BFBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BFBF second address: 58BFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BFCC second address: 58BFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC59Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BFDA second address: 58BFE0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C476 second address: 58C47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BAD2 second address: 58BAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BAD8 second address: 58BAE2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995CCAC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BAE2 second address: 58BB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995D15D9F6h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BB04 second address: 58BB0E instructions: 0x00000000 rdtsc 0x00000002 js 00007F995CCAC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE6F second address: 58CE73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE73 second address: 58CE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE7B second address: 58CEB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F9h 0x00000007 jns 00007F995D15D9F8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596C68 second address: 596C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F995CCAC5A6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595EC7 second address: 595F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jc 00007F995D15DA1Ch 0x0000000c pushad 0x0000000d jo 00007F995D15D9E6h 0x00000013 jmp 00007F995D15D9EFh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F995D15D9F1h 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59603B second address: 59604C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b ja 00007F995CCAC596h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59604C second address: 596050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596050 second address: 596056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596056 second address: 59605B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5961C2 second address: 5961CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5961CB second address: 5961F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jg 00007F995D15D9E6h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5961F0 second address: 5961F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59661F second address: 596637 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59677B second address: 596781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5999C5 second address: 5999C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599296 second address: 59929B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599414 second address: 599423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599423 second address: 599428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599428 second address: 599438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F995D15D9E6h 0x0000000a jo 00007F995D15D9E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D7E8 second address: 59D7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D7EC second address: 59D80C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9EEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F995D15D9EAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D969 second address: 59D99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F995CCAC5A9h 0x0000000d jmp 00007F995CCAC59Eh 0x00000012 jnp 00007F995CCAC596h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D99F second address: 59D9A9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F995D15D9F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF39 second address: 59DF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53703A second address: 537044 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995D15D9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537044 second address: 53704F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E084 second address: 59E0B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F995D15D9EEh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 jc 00007F995D15D9E6h 0x00000019 jmp 00007F995D15D9EEh 0x0000001e pop ecx 0x0000001f push ebx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E0B9 second address: 59E0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E22B second address: 59E22F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E22F second address: 59E24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F995CCAC5A3h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF478 second address: 4FF489 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 jg 00007F995D15D9E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CA9 second address: 5A4CAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CAE second address: 5A4CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4F94 second address: 5A4FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F995CCAC59Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F995CCAC5A3h 0x00000016 jmp 00007F995CCAC5A0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4FD1 second address: 5A4FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F995D15D9E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4FDD second address: 5A4FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4FE1 second address: 5A4FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A52BC second address: 5A52CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F995CCAC59Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A52CC second address: 5A52D6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F995D15D9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A55CB second address: 5A5612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F995CCAC5A7h 0x0000000b popad 0x0000000c jne 00007F995CCAC598h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push edi 0x00000015 jmp 00007F995CCAC59Eh 0x0000001a pop edi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 pop eax 0x00000023 pushad 0x00000024 popad 0x00000025 je 00007F995CCAC596h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C06 second address: 5A5C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C0A second address: 5A5C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F995CCAC59Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C21 second address: 5A5C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F995D15D9F3h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F995D15D9ECh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C4B second address: 5A5C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C51 second address: 5A5C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C55 second address: 5A5C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C5F second address: 5A5C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A674C second address: 5A676B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F995CCAC5A7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A676B second address: 5A6775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F995D15D9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABD76 second address: 5ABD7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABD7A second address: 5ABD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995D15D9F1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABD91 second address: 5ABD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABD97 second address: 5ABDBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F995D15D9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF869 second address: 5AF892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F995CCAC5AAh 0x0000000b jmp 00007F995CCAC5A2h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F995CCAC596h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AF892 second address: 5AF896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AE9F5 second address: 5AEA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC5A4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F995CCAC5A7h 0x00000011 jmp 00007F995CCAC5A9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEA40 second address: 5AEA44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEE79 second address: 5AEE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEFC4 second address: 5AEFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F995D15D9F8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B85D5 second address: 5B85E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F995CCAC596h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B85E1 second address: 5B85EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F995D15D9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B85EB second address: 5B85FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F995CCAC596h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B99E2 second address: 5B99F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F995D15D9E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7866 second address: 5B786D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF050 second address: 5BF054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF054 second address: 5BF081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F995CCAC5A8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE22F second address: 5CE239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE239 second address: 5CE23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D29C1 second address: 5D29D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D29D9 second address: 5D29DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D29DD second address: 5D29E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D29E3 second address: 5D29EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D29EA second address: 5D2A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F995D15D9EFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2A06 second address: 5D2A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2A0C second address: 5D2A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F995D15D9EBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2A1E second address: 5D2A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D26D4 second address: 5D26F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F995D15D9FEh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F995D15D9F6h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D26F7 second address: 5D26FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D26FD second address: 5D2725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9EAh 0x00000009 jmp 00007F995D15D9ECh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jne 00007F995D15D9EEh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2725 second address: 5D273E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995CCAC5A1h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D273E second address: 5D2753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F995D15D9EBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2753 second address: 5D2757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7CB4 second address: 5D7CBB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D692E second address: 5D6937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6937 second address: 5D6942 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007F995D15D9E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E018B second address: 5E0192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0020 second address: 5E0024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0024 second address: 5E0032 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F995CCAC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0032 second address: 5E0036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9AD2 second address: 5E9AE1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F995CCAC596h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8C64 second address: 5E8C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8C68 second address: 5E8C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8C6E second address: 5E8C86 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F995D15D9ECh 0x00000008 je 00007F995D15D9EEh 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8DF8 second address: 5E8DFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8DFD second address: 5E8E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8E05 second address: 5E8E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007F995CCAC5C8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F995CCAC5A2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E97DC second address: 5E97E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E97E0 second address: 5E97FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F995CCAC5A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECFD1 second address: 5ECFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9F4h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7D85 second address: 5F7D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7D89 second address: 5F7D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F995D15D9ECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ED97 second address: 60ED9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ED9B second address: 60EDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E246 second address: 60E25D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995CCAC59Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E25D second address: 60E261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E62B second address: 60E645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F995CCAC5A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E645 second address: 60E66E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F995D15D9F1h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007F995D15DA0Dh 0x00000013 jnp 00007F995D15D9EEh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E7D1 second address: 60E7D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611920 second address: 61192A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616EE0 second address: 616EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616EE6 second address: 616EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616FE1 second address: 616FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A029 second address: 61A02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A02F second address: 61A033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A033 second address: 61A03B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612EC4 second address: 612EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612EC8 second address: 612ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612ECC second address: 612EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a push esi 0x0000000b jmp 00007F995CCAC59Eh 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F995CCAC59Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D61 second address: 612D7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F995D15D9F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jg 00007F995D15D9E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52F892 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52E1CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52E526 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 38DA67 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5C4DA7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 52A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 74B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D rdtsc 0_2_0050605D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050605D rdtsc 0_2_0050605D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00390414 LdrInitializeThunk,0_2_00390414
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: xProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055E351 GetSystemTime,GetFileTime,0_2_0055E351

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
41
Disable or Modify Tools
LSASS Memory641
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control
261
Virtualization/Sandbox Evasion
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS261
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information
LSA Secrets23
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559390
Start date and time:2024-11-20 13:26:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.529111957722914
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'756'608 bytes
MD5:bd8bd8ac55f48657780d6ff5570f98ce
SHA1:cd99112e246d966339be39c6b3332eeeac90105c
SHA256:9fe8f85118b90bf8fdd24659d34a1210ce35ff94fd6f52ff5e7d2dbe1f624d5e
SHA512:fb876cc6a46a9a4a7bbaa817c6a4ae0e791b55123b17ff5c62ec0a0b630e4fc7d4b0652ce5a4421099d16609231decce2f80921bdc819b8e76d6484f39ea32ee
SSDEEP:24576:9PIWADOWjlH8wAYY0C68YNUwpaoZ1x7MKsMq+NuThdxQMf16pMABQLJX7RvX7uWR:ZIWADBjxaYYzopph0v+C9vejc/rXd
TLSH:0AD55B92B54971DFD48E13B499A7CDC2589D07F90B2508C39C2DB6BABDA3CC512F6C28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`................................
Icon Hash:00928e8e8686b000
Entrypoint:0x6a8000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b
Instruction
jmp 00007F995CFB26CAh
pmaxsw mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12009bce733d11d7a68839012ffa131da5f1False0.9340277777777778data7.815000576313311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ywhttfna0xa0000x29c0000x29b0000fe2b0be56b6a4a3f47d3d871a181d78unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mpyioxor0x2a60000x20000x400e1c52d0886851a8665c6d82a4f625d48False0.7421875data5.870935239369237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2a80000x40000x2200599c962c52bada49d0609e90c9bc019fFalse0.04894301470588235DOS executable (COM)0.531757473184582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
DLLImport
kernel32.dlllstrcpy
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:07:27:03
Start date:20/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x380000
File size:2'756'608 bytes
MD5 hash:BD8BD8AC55F48657780D6FF5570F98CE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:4.4%
    Signature Coverage:0.7%
    Total number of Nodes:275
    Total number of Limit Nodes:12
    execution_graph 7482 55e7d4 7484 55e7e0 7482->7484 7489 55a204 GetCurrentThreadId 7484->7489 7486 55e7ec 7488 55e80c 7486->7488 7491 55e72b 7486->7491 7490 55a21c 7489->7490 7490->7486 7493 55e737 7491->7493 7494 55e74b 7493->7494 7495 55a204 GetCurrentThreadId 7494->7495 7496 55e763 7495->7496 7504 55a968 7496->7504 7501 55e78e 7502 55e7bb GetFileAttributesA 7502->7501 7503 55e7aa GetFileAttributesW 7503->7501 7505 55aa1c 7504->7505 7506 55a97c 7504->7506 7505->7501 7508 55a916 7505->7508 7506->7505 7512 55a7b7 7506->7512 7509 55a964 7508->7509 7511 55a927 7508->7511 7509->7501 7509->7502 7509->7503 7510 55a7b7 2 API calls 7510->7511 7511->7509 7511->7510 7513 55a7e4 7512->7513 7514 55a812 PathAddExtensionA 7513->7514 7515 55a82d 7513->7515 7523 55a8ea 7513->7523 7514->7515 7519 55a84f 7515->7519 7524 55a458 7515->7524 7516 55a898 7518 55a8c1 7516->7518 7521 55a458 lstrcmpiA 7516->7521 7516->7523 7522 55a458 lstrcmpiA 7518->7522 7518->7523 7519->7516 7520 55a458 lstrcmpiA 7519->7520 7519->7523 7520->7516 7521->7518 7522->7523 7523->7506 7525 55a476 7524->7525 7526 55a48d 7525->7526 7528 55a3d5 7525->7528 7526->7519 7529 55a400 7528->7529 7530 55a432 lstrcmpiA 7529->7530 7531 55a448 7529->7531 7530->7531 7531->7526 7702 52a1308 7703 52a1349 ImpersonateLoggedOnUser 7702->7703 7704 52a1376 7703->7704 7705 52a0d48 7706 52a0d93 OpenSCManagerW 7705->7706 7708 52a0ddc 7706->7708 7532 508e54 7533 508e04 7532->7533 7534 508e08 CreateFileA 7533->7534 7535 508e18 7533->7535 7534->7533 7534->7535 7709 55bd73 7711 55bd7f 7709->7711 7712 55bd93 7711->7712 7714 55bdbb 7712->7714 7715 55bdd4 7712->7715 7717 55bddd 7715->7717 7718 55bdec 7717->7718 7719 55bdf4 7718->7719 7720 55a204 GetCurrentThreadId 7718->7720 7721 55bea5 GetModuleHandleA 7719->7721 7722 55be97 GetModuleHandleW 7719->7722 7723 55bdfe 7720->7723 7726 55be2c 7721->7726 7722->7726 7724 55a916 2 API calls 7723->7724 7725 55be19 7723->7725 7724->7725 7725->7719 7725->7726 7727 55ba3c 7730 55b87c 7727->7730 7732 55b888 7730->7732 7733 55b89d 7732->7733 7734 55b8ca 15 API calls 7733->7734 7735 55b8bb 7733->7735 7734->7735 7736 55e2bf 7737 55a204 GetCurrentThreadId 7736->7737 7738 55e2cb GetCurrentProcess 7737->7738 7739 55e317 7738->7739 7741 55e2db 7738->7741 7740 55e31c DuplicateHandle 7739->7740 7744 55e312 7740->7744 7741->7739 7742 55e306 7741->7742 7745 55c05c 7742->7745 7748 55c086 7745->7748 7746 55c119 7746->7744 7747 55c044 CloseHandle 7747->7746 7748->7746 7748->7747 7536 50605d LoadLibraryA 7537 506067 7536->7537 7538 55ba1b 7541 55b863 7538->7541 7544 55b8ca 7541->7544 7546 55b8d7 7544->7546 7548 55b8ed 7546->7548 7547 55b8f5 7549 55b9d5 7547->7549 7550 55b9c2 7547->7550 7548->7547 7551 55a204 GetCurrentThreadId 7548->7551 7553 55b9f3 LoadLibraryExA 7549->7553 7554 55b9df LoadLibraryExW 7549->7554 7577 55b702 7550->7577 7555 55b917 7551->7555 7560 55b999 7553->7560 7554->7560 7556 55a916 2 API calls 7555->7556 7557 55b928 7556->7557 7557->7547 7558 55b956 7557->7558 7561 55b242 7558->7561 7562 55b268 7561->7562 7563 55b25e 7561->7563 7581 55aa95 7562->7581 7563->7560 7570 55b2b8 7571 55b2e5 7570->7571 7576 55b31d 7570->7576 7591 55ac73 7570->7591 7595 55af0e 7571->7595 7574 55b2f0 7574->7576 7600 55ae85 7574->7600 7576->7563 7604 55ba54 7576->7604 7578 55b70d 7577->7578 7579 55b71d 7578->7579 7580 55b72e LoadLibraryExA 7578->7580 7579->7560 7580->7579 7582 55aab1 7581->7582 7583 55ab0a 7581->7583 7582->7583 7584 55aae1 VirtualAlloc 7582->7584 7583->7563 7585 55ab3b VirtualAlloc 7583->7585 7584->7583 7586 55ab80 7585->7586 7586->7576 7587 55abb8 7586->7587 7590 55abe0 7587->7590 7588 55abf9 VirtualAlloc 7589 55ac57 7588->7589 7588->7590 7589->7570 7590->7588 7590->7589 7593 55ac93 7591->7593 7594 55ac8e 7591->7594 7592 55acc6 lstrcmpiA 7592->7593 7592->7594 7593->7592 7593->7594 7594->7571 7596 55b01a 7595->7596 7598 55af3b 7595->7598 7596->7574 7598->7596 7606 55aa20 7598->7606 7614 55bb31 7598->7614 7602 55aeae 7600->7602 7601 55aeef 7601->7576 7602->7601 7603 55aec6 VirtualProtect 7602->7603 7603->7601 7603->7602 7639 55ba60 7604->7639 7607 55b863 15 API calls 7606->7607 7608 55aa33 7607->7608 7609 55aa85 7608->7609 7611 55aa5c 7608->7611 7613 55aa79 7608->7613 7610 55ba54 2 API calls 7609->7610 7610->7613 7612 55ba54 2 API calls 7611->7612 7611->7613 7612->7613 7613->7598 7616 55bb3a 7614->7616 7617 55bb49 7616->7617 7619 55a204 GetCurrentThreadId 7617->7619 7621 55bb51 7617->7621 7618 55bb7e GetProcAddress 7624 55bb74 7618->7624 7620 55bb5b 7619->7620 7620->7621 7622 55bb6b 7620->7622 7621->7618 7625 55b592 7622->7625 7626 55b5b1 7625->7626 7630 55b67e 7625->7630 7627 55b5ee lstrcmpiA 7626->7627 7628 55b618 7626->7628 7626->7630 7627->7626 7627->7628 7628->7630 7631 55b4db 7628->7631 7630->7624 7632 55b4ec 7631->7632 7633 55b51c lstrcpyn 7632->7633 7634 55b577 7632->7634 7633->7634 7636 55b538 7633->7636 7634->7630 7635 55aa20 14 API calls 7637 55b566 7635->7637 7636->7634 7636->7635 7637->7634 7638 55bb31 14 API calls 7637->7638 7638->7634 7640 55ba6f 7639->7640 7642 55a204 GetCurrentThreadId 7640->7642 7644 55ba77 7640->7644 7641 55bac5 FreeLibrary 7647 55baac 7641->7647 7643 55ba81 7642->7643 7643->7644 7645 55ba91 7643->7645 7644->7641 7648 55b442 7645->7648 7649 55b465 7648->7649 7650 55b4a5 7648->7650 7649->7650 7652 559ffe 7649->7652 7650->7647 7653 55a007 7652->7653 7654 55a01f 7653->7654 7656 559fe5 7653->7656 7654->7650 7657 55ba54 2 API calls 7656->7657 7658 559ff2 7657->7658 7658->7653 7749 55ea3b 7751 55ea47 7749->7751 7752 55a204 GetCurrentThreadId 7751->7752 7753 55ea53 7752->7753 7755 55ea73 7753->7755 7756 55e947 7753->7756 7758 55e953 7756->7758 7759 55e967 7758->7759 7760 55a204 GetCurrentThreadId 7759->7760 7761 55e97f 7760->7761 7762 55e994 7761->7762 7782 55e860 7761->7782 7766 55e99c 7762->7766 7774 55e905 IsBadWritePtr 7762->7774 7768 55ea10 CreateFileA 7766->7768 7769 55e9ed CreateFileW 7766->7769 7767 55a916 2 API calls 7770 55e9cf 7767->7770 7773 55e9dd 7768->7773 7769->7773 7770->7766 7771 55e9d7 7770->7771 7776 55c15a 7771->7776 7775 55e927 7774->7775 7775->7766 7775->7767 7778 55c167 7776->7778 7777 55c1a0 CreateFileA 7780 55c1ec 7777->7780 7778->7777 7779 55c262 7778->7779 7779->7773 7780->7779 7781 55c01d CloseHandle 7780->7781 7781->7779 7784 55e86f GetWindowsDirectoryA 7782->7784 7785 55e899 7784->7785 7786 38e3ca 7787 38e518 VirtualAlloc 7786->7787 7789 38e7d2 7787->7789 7659 55bec6 7660 55a204 GetCurrentThreadId 7659->7660 7661 55bed2 7660->7661 7662 55bef0 7661->7662 7663 55a916 2 API calls 7661->7663 7664 55bf21 GetModuleHandleExA 7662->7664 7665 55bef8 7662->7665 7663->7662 7664->7665 7790 508ca7 CreateFileA 7791 508cc9 7790->7791 7792 508aa8 7793 508ab0 7792->7793 7794 508ab8 CreateFileA 7792->7794 7793->7794 7795 508ac3 7794->7795 7796 55f32d 7798 55f339 7796->7798 7799 55f351 7798->7799 7801 55f37b 7799->7801 7802 55f267 7799->7802 7804 55f273 7802->7804 7805 55a204 GetCurrentThreadId 7804->7805 7806 55f286 7805->7806 7807 55f2c4 7806->7807 7808 55f2ff 7806->7808 7811 55f2a0 7806->7811 7807->7811 7812 55c93e 7807->7812 7809 55f304 CreateFileMappingA 7808->7809 7809->7811 7814 55c955 7812->7814 7813 55c9be CreateFileA 7816 55ca03 7813->7816 7814->7813 7815 55ca52 7814->7815 7815->7811 7816->7815 7817 55c01d CloseHandle 7816->7817 7817->7815 7666 52a10f0 7667 52a1131 7666->7667 7670 55cf58 7667->7670 7668 52a1151 7671 55a204 GetCurrentThreadId 7670->7671 7672 55cf64 7671->7672 7673 55cf7d 7672->7673 7674 55cf8d 7672->7674 7678 55c044 7673->7678 7676 55cf92 CloseHandle 7674->7676 7677 55cf83 7676->7677 7677->7668 7681 55a0af 7678->7681 7682 55a0c5 7681->7682 7684 55a0df 7682->7684 7685 55a093 7682->7685 7684->7677 7688 55c01d CloseHandle 7685->7688 7687 55a0a3 7687->7684 7689 55c031 7688->7689 7689->7687 7818 52a1510 7819 52a1558 ControlService 7818->7819 7820 52a158f 7819->7820 7690 55eb4e 7692 55eb57 7690->7692 7693 55a204 GetCurrentThreadId 7692->7693 7694 55eb63 7693->7694 7695 55eb7c 7694->7695 7696 55ebb3 ReadFile 7694->7696 7696->7695 7697 55f48b 7698 55a204 GetCurrentThreadId 7697->7698 7699 55f497 7698->7699 7700 55f4ff MapViewOfFileEx 7699->7700 7701 55f4b0 7699->7701 7700->7701

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 233 50605d-506061 LoadLibraryA 234 506067-506070 233->234 236 506076-506077 234->236 237 506078-50620a 234->237 236->237
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 06df1848e15507d4e3da0b90adef4e893a4dd90477d761ed64ed167be2aa3d30
    • Instruction ID: 310c48e8d1b77f1255f868b1ae0b406a333c9cdfc6fc525920593315e1dcf5c4
    • Opcode Fuzzy Hash: 06df1848e15507d4e3da0b90adef4e893a4dd90477d761ed64ed167be2aa3d30
    • Instruction Fuzzy Hash: FD416BB254C210EFE311AF19E9416BEFBE9FF85320F22482EE6C483640D37644549BA3

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0055B9E8
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0055B9FC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: c59d660af66dc0570d290648a83a43e4088ddfe102cf545dfd336ba2bb68516d
    • Instruction ID: 4fb8a37a93e41e781155cde899c61dc99e36b1fe23eaef75832319e8829e5401
    • Opcode Fuzzy Hash: c59d660af66dc0570d290648a83a43e4088ddfe102cf545dfd336ba2bb68516d
    • Instruction Fuzzy Hash: AF319C3140424AEFEF21AF50C92DAAD7F75FF48352F108517FE0296121D735AAA8DB52

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 55bddd-55bdee call 55b741 40 55bdf4 37->40 41 55bdf9-55be02 call 55a204 37->41 42 55be8d-55be91 40->42 48 55be36-55be3d 41->48 49 55be08-55be14 call 55a916 41->49 44 55bea5-55bea8 GetModuleHandleA 42->44 45 55be97-55bea0 GetModuleHandleW 42->45 47 55beae 44->47 45->47 51 55beb8-55beba 47->51 52 55be43-55be4a 48->52 53 55be88 call 55a2af 48->53 55 55be19-55be1b 49->55 52->53 56 55be50-55be57 52->56 53->42 55->53 57 55be21-55be26 55->57 56->53 58 55be5d-55be64 56->58 57->53 59 55be2c-55beb3 call 55a2af 57->59 58->53 60 55be6a-55be7e 58->60 59->51 60->53
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0055BD6F,?,00000000,00000000), ref: 0055BE9A
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0055BD6F,?,00000000,00000000), ref: 0055BEA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 8a478261a70fb464429202eafeae6481828a456b8697cb78a9767b23cb91bc72
    • Instruction ID: 623c05e693aae2be7c5f34bdb3ebf0efbb3a8cb07bc1cadb2d524d54a112e1c6
    • Opcode Fuzzy Hash: 8a478261a70fb464429202eafeae6481828a456b8697cb78a9767b23cb91bc72
    • Instruction Fuzzy Hash: D4112E31504606EFFB30AF14C82E7A97EB9BF50347F184617BE0544490D7B5A9ECCA92

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 55e737-55e745 65 55e757 64->65 66 55e74b-55e752 64->66 67 55e75e-55e774 call 55a204 call 55a968 65->67 66->67 72 55e793 67->72 73 55e77a-55e788 call 55a916 67->73 75 55e797-55e79a 72->75 78 55e79f-55e7a4 73->78 79 55e78e 73->79 77 55e7ca-55e7d1 call 55a2af 75->77 82 55e7bb-55e7be GetFileAttributesA 78->82 83 55e7aa-55e7b6 GetFileAttributesW 78->83 79->75 84 55e7c4-55e7c5 82->84 83->84 84->77
    APIs
    • GetFileAttributesW.KERNELBASE(01341914,-11F45FEC), ref: 0055E7B0
    • GetFileAttributesA.KERNEL32(00000000,-11F45FEC), ref: 0055E7BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 23839efea845d5e091bb0172db8cfa9d9bdfec226ffcea2665bbe208601fce1e
    • Instruction ID: 28f53b2afa1989b79401ea5da44c45870726628fbf386de5d7aad277751fcdf7
    • Opcode Fuzzy Hash: 23839efea845d5e091bb0172db8cfa9d9bdfec226ffcea2665bbe208601fce1e
    • Instruction Fuzzy Hash: 2D018630510285FAEF289B64C86EB9C7E70FF98307F218166EC0665490C7B04BD9EB41

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 508ad7-508afe 88 508b04-508b0b 85->88 89 508e3c-508e71 85->89 90 508b11 88->90 91 508b17-508bf4 call 508b6a call 508bf7 88->91 94 508e73-508e75 89->94 95 508e78-508e81 89->95 90->91 97 508e04-508e12 CreateFileA 91->97 94->95 96 508e83-508ebc 95->96 95->97 103 508ec2 96->103 104 508ece-508efe call 508f01 96->104 97->89 105 508e18-508e28 97->105 103->104 107 508ec8-508ecd 103->107 108 508f46-508f84 call 508f60 call 508f87 104->108 105->108 107->104
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID:
    • String ID: C
    • API String ID: 0-1037565863
    • Opcode ID: 89dc2ca7c8be9595671db00e6b7fc9356dfd10d2c2f4190e16ba98bd262b729e
    • Instruction ID: f2fa84f77ec2fea0612669a35a1f9f7699a10446bc7eeb7f780ad6d1a13ae459
    • Opcode Fuzzy Hash: 89dc2ca7c8be9595671db00e6b7fc9356dfd10d2c2f4190e16ba98bd262b729e
    • Instruction Fuzzy Hash: E54124B250C286AED7118E24D964EBE7FADFB96730F3048AAF481C75C2DA611C499724

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 127 55a7b7-55a7e7 129 55a912-55a913 127->129 130 55a7ed-55a802 127->130 130->129 132 55a808-55a80c 130->132 133 55a812-55a824 PathAddExtensionA 132->133 134 55a82e-55a835 132->134 139 55a82d 133->139 135 55a857-55a85e 134->135 136 55a83b-55a84a call 55a458 134->136 137 55a864-55a86b 135->137 138 55a8a0-55a8a7 135->138 141 55a84f-55a851 136->141 142 55a884-55a893 call 55a458 137->142 143 55a871-55a87a 137->143 144 55a8ad-55a8c3 call 55a458 138->144 145 55a8c9-55a8d0 138->145 139->134 141->129 141->135 152 55a898-55a89a 142->152 143->142 146 55a880 143->146 144->129 144->145 149 55a8d6-55a8ec call 55a458 145->149 150 55a8f2-55a8f9 145->150 146->142 149->129 149->150 150->129 151 55a8ff-55a90c call 55a491 150->151 151->129 152->129 152->138
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0055A819
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 60b32491d26ea7f50108bc3a8e8eef4e4712e7b67b879311bb5dd8a9a9170f41
    • Instruction ID: eb22dfecff06052252a3f580118c639647db56bd32c579455fb7020abdadf0a2
    • Opcode Fuzzy Hash: 60b32491d26ea7f50108bc3a8e8eef4e4712e7b67b879311bb5dd8a9a9170f41
    • Instruction Fuzzy Hash: 71313D3590020ABFDF219F94CD19B9EBF75BF48716F000266FE00A5060D7729A69EB55

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 158 55bec6-55bed9 call 55a204 161 55bf1c-55bf30 call 55a2af GetModuleHandleExA 158->161 162 55bedf-55beeb call 55a916 158->162 168 55bf3a-55bf3c 161->168 165 55bef0-55bef2 162->165 165->161 167 55bef8-55beff 165->167 169 55bf05 167->169 170 55bf08-55bf35 call 55a2af 167->170 169->170 170->168
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0055BF2A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 20d296cb8014a76e06689d6342a7129adc4cbdd05a6526889b5f3f144d06611b
    • Instruction ID: c99ded5e05db800961909009e7dd005421d4c6b6639894b2621689b22aeb5878
    • Opcode Fuzzy Hash: 20d296cb8014a76e06689d6342a7129adc4cbdd05a6526889b5f3f144d06611b
    • Instruction Fuzzy Hash: 5CF09A71104206AFEF10AF54CC5EAAA3FA4BF68306F108612FE058A056C375D5A8DE22

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 173 55e953-55e961 174 55e967-55e96e 173->174 175 55e973 173->175 176 55e97a-55e986 call 55a204 174->176 175->176 179 55e9a1-55e9b1 call 55e905 176->179 180 55e98c-55e996 call 55e860 176->180 186 55e9b7-55e9be 179->186 187 55e9c3-55e9d1 call 55a916 179->187 180->179 185 55e99c 180->185 188 55e9e2-55e9e7 185->188 186->188 187->188 194 55e9d7-55e9d8 call 55c15a 187->194 190 55ea10-55ea25 CreateFileA 188->190 191 55e9ed-55ea0b CreateFileW 188->191 193 55ea2b-55ea2c 190->193 191->193 195 55ea31-55ea38 call 55a2af 193->195 198 55e9dd 194->198 198->195
    APIs
    • CreateFileW.KERNELBASE(01341914,?,?,-11F45FEC,?,?,?,-11F45FEC,?), ref: 0055EA05
      • Part of subcall function 0055E905: IsBadWritePtr.KERNEL32(?,00000004), ref: 0055E913
    • CreateFileA.KERNEL32(?,?,?,-11F45FEC,?,?,?,-11F45FEC,?), ref: 0055EA25
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 1f3010483c3cdc73f7757b8c5e9fb745bb9efd9bdae2fd0970d68920f4334f7f
    • Instruction ID: 1be9b8ec7c156bacb218bd6e81a2a6ffbcb8f8afe9a6a1cca9315f45d2308fc7
    • Opcode Fuzzy Hash: 1f3010483c3cdc73f7757b8c5e9fb745bb9efd9bdae2fd0970d68920f4334f7f
    • Instruction Fuzzy Hash: AB11143100424AFBCF269FA0CC2BB9D3E32BF59346F118516FE0524461C7768AB9EB42

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 200 55e2bf-55e2d5 call 55a204 GetCurrentProcess 203 55e317-55e339 call 55a2af DuplicateHandle 200->203 204 55e2db-55e2de 200->204 209 55e343-55e345 203->209 204->203 205 55e2e4-55e2e7 204->205 205->203 208 55e2ed-55e300 call 55a05e 205->208 208->203 212 55e306-55e33e call 55c05c call 55a2af 208->212 212->209
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • GetCurrentProcess.KERNEL32(-11F45FEC), ref: 0055E2CC
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0055E332
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: cd0abef74f2c60c0821b31ad4ca4e3aa4ab221f0cc4891318081f949544771e8
    • Instruction ID: 646d9bd12771d8c4b526a3f9b2494eaf382f43b7ee4ee7405f8dc906c4f26e54
    • Opcode Fuzzy Hash: cd0abef74f2c60c0821b31ad4ca4e3aa4ab221f0cc4891318081f949544771e8
    • Instruction Fuzzy Hash: CC016D3310010BFB8F26AFA4CC1AC9E3F35BF99352B054A16FE4196051C736E569EB62

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 244 55c93e-55c94f 245 55c955-55c969 call 55a2e2 244->245 246 55c97e-55c987 call 55a2e2 244->246 256 55ca6c 245->256 257 55c96f-55c97d 245->257 251 55ca64-55ca67 call 55a307 246->251 252 55c98d-55c99e call 55c120 246->252 251->256 260 55c9a4-55c9a8 252->260 261 55c9be-55c9fd CreateFileA 252->261 259 55ca73-55ca77 256->259 257->246 265 55c9ae-55c9ba 260->265 266 55c9bb 260->266 262 55ca21-55ca24 261->262 263 55ca03-55ca20 261->263 267 55ca57-55ca5f call 55bfaf 262->267 268 55ca2a-55ca41 call 55a024 262->268 263->262 265->266 266->261 267->256 268->259 275 55ca47-55ca52 call 55c01d 268->275 275->256
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0055C9F3
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 506b9b6c2ded4343ba398567dd01916246158ff9a5a1db379d966d91e230f012
    • Instruction ID: a76a990a6745cfb0efe3961ff53f0df5bfa737ef841d33a85e069e5e908026aa
    • Opcode Fuzzy Hash: 506b9b6c2ded4343ba398567dd01916246158ff9a5a1db379d966d91e230f012
    • Instruction Fuzzy Hash: C3316B71900209BFEB20DFA0DC59FA9BFB8FF48725F208226F901AA191C771A945CB10

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 278 55c15a-55c169 call 55a2e2 281 55c26f 278->281 282 55c16f-55c180 call 55c120 278->282 284 55c276-55c27a 281->284 286 55c186-55c18a 282->286 287 55c1a0-55c1e6 CreateFileA 282->287 288 55c190-55c19c 286->288 289 55c19d 286->289 290 55c231-55c234 287->290 291 55c1ec-55c20d 287->291 288->289 289->287 292 55c267-55c26a call 55bfaf 290->292 293 55c23a-55c251 call 55a024 290->293 291->290 299 55c213-55c230 291->299 292->281 293->284 300 55c257-55c262 call 55c01d 293->300 299->290 300->281
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0055C1DC
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c02f2f7ebe4a6c114a29731c566ef595ecf5ac8d017606736584bb7e26295f94
    • Instruction ID: 6bb8bd974f7f1afa25f2fcde31cf2bbb931d01d33a57a0df6569123997000351
    • Opcode Fuzzy Hash: c02f2f7ebe4a6c114a29731c566ef595ecf5ac8d017606736584bb7e26295f94
    • Instruction Fuzzy Hash: 1C31B175500305BFEF209FA4DC59F99BFB8BF45B25F204226FA10AA0D1D7B2A585CB14

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 304 52a0d48-52a0d97 306 52a0d99-52a0d9c 304->306 307 52a0d9f-52a0da3 304->307 306->307 308 52a0dab-52a0dda OpenSCManagerW 307->308 309 52a0da5-52a0da8 307->309 310 52a0ddc-52a0de2 308->310 311 52a0de3-52a0df7 308->311 309->308 310->311
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 052A0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 58bf38e443062ca6919f0ef365f2cca124a34176dee662fb677a2f66a3c71991
    • Instruction ID: b13784c7970da95a4f59ae15803f2d6ea3409b1a9995cf1e328db72c8870975c
    • Opcode Fuzzy Hash: 58bf38e443062ca6919f0ef365f2cca124a34176dee662fb677a2f66a3c71991
    • Instruction Fuzzy Hash: 982147B6C012599FCB10CF99D884ADEFBF4FF88310F14811AD808AB204C734A540CFA4

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 313 52a0d42-52a0d97 315 52a0d99-52a0d9c 313->315 316 52a0d9f-52a0da3 313->316 315->316 317 52a0dab-52a0dda OpenSCManagerW 316->317 318 52a0da5-52a0da8 316->318 319 52a0ddc-52a0de2 317->319 320 52a0de3-52a0df7 317->320 318->317 319->320
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 052A0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 6835742b6b2f19ad0606e4d338b4a4a3f49ac9926a8986e6e2998246d20d0015
    • Instruction ID: 87168b24164d350627d273a6fa382c37e61cf2e2b34988e5f10ee4c1c160b53c
    • Opcode Fuzzy Hash: 6835742b6b2f19ad0606e4d338b4a4a3f49ac9926a8986e6e2998246d20d0015
    • Instruction Fuzzy Hash: 4B2135BAC016598FCB50CF99D988BDEFBF4FF88310F14811AD909AB244D734A540CBA0
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00508AB9
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a1298ef7b58ed4d65f40ebde7acfb9d1bad5e5f2d2c983ecb9d17f337099c86c
    • Instruction ID: 400a8a6fe9001ea76ffc3a6ceefdb206f8c9783f13be0c9fdfd7c7f2711f9bc6
    • Opcode Fuzzy Hash: a1298ef7b58ed4d65f40ebde7acfb9d1bad5e5f2d2c983ecb9d17f337099c86c
    • Instruction Fuzzy Hash: D1F04FBB30D2157DE200CA55AE90EFFBB9CEBC97B0B308C2BF585C6541C6214D496675
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 052A1580
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: ce27a60b2ccf1389a004fbe0475b4864d6af92eb3fc94f3e4e84eb7bf3681eb4
    • Instruction ID: 4c65e7ddb9b38a55f64590237c10d8fa4db72d6f914ab98dacf909364b4eee85
    • Opcode Fuzzy Hash: ce27a60b2ccf1389a004fbe0475b4864d6af92eb3fc94f3e4e84eb7bf3681eb4
    • Instruction Fuzzy Hash: D92103B69002498FDB10CF9AC584BDEBBF4FF48320F14802AE519A3250D378AA44CFA1
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 052A1580
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: c967a53aa29d16c91bcb6a25235276f9ea00c2f5de291baf0800de7ac22bcf8f
    • Instruction ID: 45c5857a780c3106268082f3a21b8d357cc129aba2ceba3e0e001ce318f7ca8d
    • Opcode Fuzzy Hash: c967a53aa29d16c91bcb6a25235276f9ea00c2f5de291baf0800de7ac22bcf8f
    • Instruction Fuzzy Hash: B511E4B59002499FDB10CF9AC584BDEFBF4FF48320F108029E559A3250D778AA44CFA5
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11F45FEC), ref: 0055F512
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 13c0874357ad93fe310a89b87e204c43b880e2638ca0110027fcdd998fdcc838
    • Instruction ID: 56c1c0fa72d7df03a874c1abc8597ee323a094e73066b904dc6cefd834856961
    • Opcode Fuzzy Hash: 13c0874357ad93fe310a89b87e204c43b880e2638ca0110027fcdd998fdcc838
    • Instruction Fuzzy Hash: E311A57250010AFBCF226FA4DC2AC9F3E66BF98352B004522FE1155061D736857AEB62
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: d6d011c6b5b6c628f5da3e56f7a44a403c6f5994e61e030e7cc6dd1587d0464b
    • Instruction ID: d516d1a2cab9a572c29cac2ddac79678e5bb5b347af9996a7ea595c1066fa914
    • Opcode Fuzzy Hash: d6d011c6b5b6c628f5da3e56f7a44a403c6f5994e61e030e7cc6dd1587d0464b
    • Instruction Fuzzy Hash: B711A17A40020AEFCF11AF94CD2EA9E3F75BF88306F004522FD0186061C379C969EB61
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 052A1367
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: e00b5ffc29753604d1bbeb192800e2920c89bb18719607ca826924d4aebd45d1
    • Instruction ID: 84582d7b0ab6b80052a143f7ed663ec2c750280d14b25cc03e92d92d74abec04
    • Opcode Fuzzy Hash: e00b5ffc29753604d1bbeb192800e2920c89bb18719607ca826924d4aebd45d1
    • Instruction Fuzzy Hash: EC1103B5800259CFDB10DF9AC545BEEFBF8EF48320F24846AD518A3650D778A944CFA5
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 052A1367
    Memory Dump Source
    • Source File: 00000000.00000002.2265031710.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_52a0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 1842968722212a36efa0b0285a717d52b802dc4240d1a56a1b38daed5e6c816a
    • Instruction ID: 37dbc69f4289ee00c040c9be6d20e25b14819e226a91b60cc058d168bcaee120
    • Opcode Fuzzy Hash: 1842968722212a36efa0b0285a717d52b802dc4240d1a56a1b38daed5e6c816a
    • Instruction Fuzzy Hash: D41122B6800249CFDB10DF9AC545BEEBBF4EF08320F24842AD528A3640D778A944CFA5
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00508AB9
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 854a5abe6c3cb3388852e966a39a19baae399cd527ca4aa962611f5c138136e3
    • Instruction ID: cb923571ebd11fcb46a681f78dcc516220a41154db4debcde741aeb36694c67d
    • Opcode Fuzzy Hash: 854a5abe6c3cb3388852e966a39a19baae399cd527ca4aa962611f5c138136e3
    • Instruction Fuzzy Hash: 92F090B720D2157EE200DA45AE80EBFBB9CEB857B0B304C2BF585C7541C1224C495B75
    APIs
    • CreateFileA.KERNELBASE(0457E826,?,3C61FC5C), ref: 00508E0D
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: cd15e004e9c728bad6170a29ad4ab7621167e1fb17c06055d6c77ca73f7c8c3e
    • Instruction ID: b3ab47fdd4d0d36943cba5f9001744f638a34e977e9cef5523d0b7e5ec1d7786
    • Opcode Fuzzy Hash: cd15e004e9c728bad6170a29ad4ab7621167e1fb17c06055d6c77ca73f7c8c3e
    • Instruction Fuzzy Hash: E801263260C20B9FC301EE34C948FBCBFAAFB55700F250A5DE0858B6C5DE225D848B15
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11F45FEC,?,?,0055C886,?,?,00000400,?,00000000,?,00000000), ref: 0055EBC3
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: cce523fd5826f0913fff23df0faa715f3b9bd1739e3e4c11d143226032bee6c1
    • Instruction ID: 21d4194f8bc482c8b8f9de87b43b84213423811d631360416a4d05b03e157944
    • Opcode Fuzzy Hash: cce523fd5826f0913fff23df0faa715f3b9bd1739e3e4c11d143226032bee6c1
    • Instruction Fuzzy Hash: C0F0193610410BEFCF166F94D81AD8E3F66FF98362F004512FE0659065C736C5A9EB62
    APIs
    • CreateFileA.KERNELBASE(0457E826,?,3C61FC5C), ref: 00508E0D
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b7537efdc5626dcf02e4df36cf166969d26f65c7238cbfad7606e5283df95b78
    • Instruction ID: f473654ef7a0377f12207abd34224ad7ed55b1f29be3ea33fb8094c7dea69713
    • Opcode Fuzzy Hash: b7537efdc5626dcf02e4df36cf166969d26f65c7238cbfad7606e5283df95b78
    • Instruction Fuzzy Hash: B9F0283210C64B8FC311DE38C944ABC7FAAFB55700B250A5DE0C58B686DD265C848B29
    APIs
    • CreateFileA.KERNELBASE(0457E826,?,3C61FC5C), ref: 00508E0D
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8041c0a42b76c21a9d4db83b26c61be76b6bfd342254dc70114f78d9b036583a
    • Instruction ID: 3046fd9112c063444f741b536115bfe08e71a8cf326f77b83484d7ed8c91b713
    • Opcode Fuzzy Hash: 8041c0a42b76c21a9d4db83b26c61be76b6bfd342254dc70114f78d9b036583a
    • Instruction Fuzzy Hash: 78F0E53120D2479FD351DA34DC5AB7D3FAAEB863147314AADE089CB287DD269C468724
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00508AB9
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: dd614aede04a234e4c8fe13c86b9098c4878e5d21f9be6db6451c34dff7bedcb
    • Instruction ID: d43d08a4a2334c2b7891c71ed0d95f0634ee29303196743f15b59dfde6fd2295
    • Opcode Fuzzy Hash: dd614aede04a234e4c8fe13c86b9098c4878e5d21f9be6db6451c34dff7bedcb
    • Instruction Fuzzy Hash: 41F0A032309305EED720EF6489C5A7E7FA0BB95775F284A1AD8E2D76D2CA2144009AD9
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 97ca521b9f667e327b8dfcbcb597f4207e02b38ddbd9ad0701d732ec03bae037
    • Instruction ID: b9c3800b7218d35ad9690992035c5a6b8491b52939641b893a48e2036e2ce014
    • Opcode Fuzzy Hash: 97ca521b9f667e327b8dfcbcb597f4207e02b38ddbd9ad0701d732ec03bae037
    • Instruction Fuzzy Hash: 9BD02BD300DB5134F10127560B45EBEAEBA7741230E21445EB2C01C0C19C7204041139
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5e1b4fa717275b62461556a17e97f407e61d11a1ffd3a5d0532c062f5c970d40
    • Instruction ID: 1a78719b825ac79596c17154bccff98bee076f89a8c7b66aac8102f8aa4597cb
    • Opcode Fuzzy Hash: 5e1b4fa717275b62461556a17e97f407e61d11a1ffd3a5d0532c062f5c970d40
    • Instruction Fuzzy Hash: 8AC022A3501A1E26F11013284C81FADB7AAFFC8440F504A04E24407182C8200C918324
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00508AB9
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: aafb752aeef096e6a6718dc9c688a8af0da688b8a9e0a563b8204711e5ccec2c
    • Instruction ID: 5b2877cfe7f9854ddbc023de920e079c8734fe1eba1ebd9a838a5a2c55a2a463
    • Opcode Fuzzy Hash: aafb752aeef096e6a6718dc9c688a8af0da688b8a9e0a563b8204711e5ccec2c
    • Instruction Fuzzy Hash: 1CC080F035535129D214F7380C5AFBE7F0457D0531F18055DE5401B1C18D52D4004671
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0038E7C0
    Memory Dump Source
    • Source File: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: dc9d0e0897ad78dcf8b29be54d9a5c7907e7c0b9b3d9b3903d4de2cd205f5493
    • Instruction ID: f3be854b279a2b1f5ee72ef5368f6f7758efe9c71155396bc3551d23127424c7
    • Opcode Fuzzy Hash: dc9d0e0897ad78dcf8b29be54d9a5c7907e7c0b9b3d9b3903d4de2cd205f5493
    • Instruction Fuzzy Hash: 471157B7608345CBE7407EB98C087BF7BE9DB80320F25056EDA52C3B80D6728805CB42
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: d2bd3bacd29c6c18c2985c0eda9891d2389954af61666391bf20d78ef9fa71ad
    • Instruction ID: 4238d19feff1f71f5644f5dd1d5189fada75153f13b960dbd29124f4a5ae985f
    • Opcode Fuzzy Hash: d2bd3bacd29c6c18c2985c0eda9891d2389954af61666391bf20d78ef9fa71ad
    • Instruction Fuzzy Hash: 9101283160011DFFCF219FA4CC08DCEBF76FF48345F004262A900A4061E7728629DB61
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • CloseHandle.KERNELBASE(0055C91B,-11F45FEC,?,?,0055C91B,?), ref: 0055CF96
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: cc8d71a5ad6d00e3f7cd0f5a8502eb87838b1fe172f2dea6381aad7a23195c24
    • Instruction ID: a376761f3cae044432142b4da5b7b8b7e98b5d591daed8e58c03eda5d19e9cfb
    • Opcode Fuzzy Hash: cc8d71a5ad6d00e3f7cd0f5a8502eb87838b1fe172f2dea6381aad7a23195c24
    • Instruction Fuzzy Hash: 44E0DF22204603AACE20BAB8C82FC4E3F29BFE0756B000223BD0285455DA6AD089D622
    APIs
    • CloseHandle.KERNELBASE(?,?,0055A0A3,?,?), ref: 0055C023
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 4fda17e2d6a0940b34406fc591f1ba25bf39afcefe3301bdd19aca28f5782d25
    • Instruction ID: 9ea10e5edaf485e9c4d6c02d89626b7199527dc7f0db831e0eec9eef87d244aa
    • Opcode Fuzzy Hash: 4fda17e2d6a0940b34406fc591f1ba25bf39afcefe3301bdd19aca28f5782d25
    • Instruction Fuzzy Hash: 6CB09231000909BBCF01BF61DC0AC4DBF69BFA6399B008121B945884219B72EA659F98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID:
    • String ID: 0k{O$9Ze$n]jj
    • API String ID: 0-311306182
    • Opcode ID: c0bcbe8fd11abf697ab6da42a7130e8e143e6f271be63bcaa6215c495c47a0b6
    • Instruction ID: 3a760fdfe1cba547f51c72c799a076dc4f6d2803f89f31209d6972d1ccf09e3d
    • Opcode Fuzzy Hash: c0bcbe8fd11abf697ab6da42a7130e8e143e6f271be63bcaa6215c495c47a0b6
    • Instruction Fuzzy Hash: C712F5B350C6049FD308AF29EC8567AF7E5EF94720F1A4A3DE6C5C3784EA3598408697
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
    • GetSystemTime.KERNEL32(?,-11F45FEC), ref: 0055E386
    • GetFileTime.KERNEL32(?,?,?,?,-11F45FEC), ref: 0055E3C9
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 9644d5dca96169f339c7c6ec15e5bad945e067bd321e65694377ff89f1f48a7f
    • Instruction ID: 522472eef5ffee7e9f29c0b2896586fe34a2290c2544a0fb509baa91fb680af8
    • Opcode Fuzzy Hash: 9644d5dca96169f339c7c6ec15e5bad945e067bd321e65694377ff89f1f48a7f
    • Instruction Fuzzy Hash: 19017832200046FBCF265F58D81EC8E3F35FFE5722B014622F8014A060CB72E9A5DB61
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 0055F256
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 11c7b02e440c036a1fc09febee889447b95cef3f614bfe8698b8ec2c5f8c23bd
    • Instruction ID: 5cfd4c30f3fc75303567822241884c04963ccae620cc7186916ae8b4266df748
    • Opcode Fuzzy Hash: 11c7b02e440c036a1fc09febee889447b95cef3f614bfe8698b8ec2c5f8c23bd
    • Instruction Fuzzy Hash: 9BF01C7A60010AFFCF01CF98DA4498C7F72FF18305F108126F90596111D3B69A65EF40
    Memory Dump Source
    • Source File: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d8d42d31f64b9746bc1b441e8830aeba5d1a98d1861b79e4fa638243a4362eea
    • Instruction ID: ee79ea17df9142d0b65188649c368cdcb523c3f5c423598b4d588083490bd2a4
    • Opcode Fuzzy Hash: d8d42d31f64b9746bc1b441e8830aeba5d1a98d1861b79e4fa638243a4362eea
    • Instruction Fuzzy Hash: EB3187B250C304EFE301BF29DC856AABBE5EF58310F05892DD6D483A14EB31A4908B97
    Memory Dump Source
    • Source File: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 93a70e72f071c1a271b17f512880a15509e4d3f5a770506f7fcebb8ea181cabc
    • Instruction ID: c50290d875045aa799a77a62b8a4e6337fddc25a2e7c3e1a6c082bce1cda9c3c
    • Opcode Fuzzy Hash: 93a70e72f071c1a271b17f512880a15509e4d3f5a770506f7fcebb8ea181cabc
    • Instruction Fuzzy Hash: 72118CB0408B0ADFDB15AF15D495ABFB7F8EB81350F25852DC88682900D3720895CF57
    APIs
      • Part of subcall function 0055A204: GetCurrentThreadId.KERNEL32 ref: 0055A213
      • Part of subcall function 0055E905: IsBadWritePtr.KERNEL32(?,00000004), ref: 0055E913
    • wsprintfA.USER32 ref: 0055D8CD
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 0055D991
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 09ffa5c67f502fa44e8d7c2a9f224f3eb3480ea9ef7a9e1b08b8569495768545
    • Instruction ID: 184630d03ee844cddb862ad29f2ec90a7d1056bfe57ac768e61fd4497436043e
    • Opcode Fuzzy Hash: 09ffa5c67f502fa44e8d7c2a9f224f3eb3480ea9ef7a9e1b08b8569495768545
    • Instruction Fuzzy Hash: 7A31147290010AFBCF219F94DC09EAEBF79FF89711F108126FA11A61A0D7719A61DB61
    APIs
    • GetFileAttributesExW.KERNEL32(01341914,00004020,00000000,-11F45FEC), ref: 0055E545
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262998141.0000000000552000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
    • Associated: 00000000.00000002.2262575514.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262596275.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262613033.0000000000386000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262632482.000000000038A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262655780.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262753126.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262770126.00000000004E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000502000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262795963.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262834379.0000000000512000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262852071.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262870602.0000000000524000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262887560.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262903076.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262923295.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262945825.000000000053C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262961968.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262977637.0000000000540000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263018662.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263035061.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263051942.0000000000563000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263068292.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263088232.0000000000579000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263104385.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263120285.000000000057F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263139107.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263163751.000000000058F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263182771.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263199705.000000000059B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263216183.00000000005A0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263232813.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263250176.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263264847.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263281892.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263321112.0000000000616000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263359786.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2263377834.0000000000628000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_380000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 99c33bdd32abc5ed50c7a178cf47a85156f955da4eccd77e5871ee9dc60d20f0
    • Instruction ID: 7d6ba1b9432668f856b4c9f03ea911279da463ee921aaa3bca7446714d928bda
    • Opcode Fuzzy Hash: 99c33bdd32abc5ed50c7a178cf47a85156f955da4eccd77e5871ee9dc60d20f0
    • Instruction Fuzzy Hash: A73189B1500205EFDF29CF44C85978EBFB1FF08315F10862AE95667660D371A6A9CB90