Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560172
MD5:832c9676a2a7c2ad3af65ca7c3cde743
SHA1:b773918c7b1880094b9da6153d27c9d718032df7
SHA256:0ba03d7bec04e966e7190bd15147ceda3c950a0fcd02d2c0cfe0afd51e5b5eac
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 832C9676A2A7C2AD3AF65CA7C3CDE743)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1739218184.0000000004630000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003006620_2_00300662
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030065A0_2_0030065A
Source: file.exe, 00000000.00000000.1720238763.0000000000176000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2819072 > 1048576
Source: file.exeStatic PE information: Raw size of ssbqmpcp is bigger than: 0x100000 < 0x2aa400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1739218184.0000000004630000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.170000.0.unpack :EW;.rsrc:W;.idata :W;ssbqmpcp:EW;iyzbxbnx:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b4724 should be: 0x2b82ef
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ssbqmpcp
Source: file.exeStatic PE information: section name: iyzbxbnx
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017E69C push eax; mov dword ptr [esp], esi0_2_0017F782
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323729 push 26E3A7D0h; mov dword ptr [esp], edi0_2_00323786
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323729 push ebx; mov dword ptr [esp], 484557EAh0_2_003237A7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003238BC push esi; mov dword ptr [esp], 6BB2F5B1h0_2_003238E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003238BC push 23654927h; mov dword ptr [esp], ebx0_2_00323924
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003238BC push eax; mov dword ptr [esp], edi0_2_0032394C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003238BC push 599D2423h; mov dword ptr [esp], ebx0_2_00323A31
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FFC48 push 676BEC16h; mov dword ptr [esp], edx0_2_002FFC66
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FFC48 push ebx; mov dword ptr [esp], ebp0_2_002FFC84
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FFC48 push 187C1BD1h; mov dword ptr [esp], ecx0_2_002FFCA9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D0037 push 56A7FD18h; mov dword ptr [esp], edi0_2_003D0081
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030403D push eax; ret 0_2_0030404C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017D030 push edi; mov dword ptr [esp], ecx0_2_0017D04F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017D030 push edi; mov dword ptr [esp], eax0_2_0017D38D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032601B push edi; ret 0_2_0032602A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323000 push ecx; mov dword ptr [esp], 0A72AC3Ch0_2_00323033
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323000 push ebx; mov dword ptr [esp], ebp0_2_0032305D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323000 push 50D5560Eh; mov dword ptr [esp], ebx0_2_003230C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030100A push ebx; mov dword ptr [esp], 365F6F62h0_2_0030100F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00302061 push 130418F3h; mov dword ptr [esp], eax0_2_0030207A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FF07D pushfd ; retf 0_2_002FF07E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A105C push 030B7C55h; mov dword ptr [esp], ecx0_2_003A108C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A105C push 77FAA1CAh; mov dword ptr [esp], ebp0_2_003A110D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00329058 push esi; mov dword ptr [esp], edx0_2_003291B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00329058 push edi; mov dword ptr [esp], 034280C3h0_2_003291DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030105C push 2780A39Fh; mov dword ptr [esp], edi0_2_00301069
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00183068 push edi; mov dword ptr [esp], ecx0_2_0018306A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030F047 push 4CB95584h; mov dword ptr [esp], edx0_2_0030F04D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00181064 push 70EEA614h; mov dword ptr [esp], ebp0_2_0018106C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017F095 push esi; mov dword ptr [esp], 5326F045h0_2_0017F0A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030E0B7 push 424A6C64h; mov dword ptr [esp], ebp0_2_0030E0C1
Source: file.exeStatic PE information: section name: entropy: 7.79338871556311

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FF997 second address: 2FF9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FF9A0 second address: 2FF9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FF9A4 second address: 2FF9A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FF9A8 second address: 2FF9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4DCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F7A904FB4D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFF37 second address: 2FFF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 303F09 second address: 303FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A904FB4E4h 0x00000008 jmp 00007F7A904FB4DDh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 jmp 00007F7A904FB4E3h 0x00000017 pop ebx 0x00000018 nop 0x00000019 mov dword ptr [ebp+122D3664h], ecx 0x0000001f push 00000000h 0x00000021 push 3251E367h 0x00000026 jmp 00007F7A904FB4E9h 0x0000002b xor dword ptr [esp], 3251E3E7h 0x00000032 mov dword ptr [ebp+122D373Eh], edx 0x00000038 push 00000003h 0x0000003a jns 00007F7A904FB4F5h 0x00000040 push 00000000h 0x00000042 sub edx, 5A3D1DD5h 0x00000048 push 00000003h 0x0000004a mov dword ptr [ebp+122D375Ch], ebx 0x00000050 push 6602CDE9h 0x00000055 pushad 0x00000056 pushad 0x00000057 push edx 0x00000058 pop edx 0x00000059 jmp 00007F7A904FB4E1h 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 303FD0 second address: 303FF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 59FD3217h 0x0000000e movsx esi, di 0x00000011 lea ebx, dword ptr [ebp+12459C69h] 0x00000017 or edx, dword ptr [ebp+122D39FFh] 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 303FF4 second address: 304004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E5774 second address: 2E577A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321C7C second address: 321C82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E30 second address: 321E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F7A90C5ABB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E3C second address: 321E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E40 second address: 321E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7A90C5ABB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jne 00007F7A90C5ABBCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E57 second address: 321E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E5F second address: 321E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322285 second address: 32228B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32228B second address: 32228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322BB7 second address: 322BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F7A904FB4D6h 0x0000000c jng 00007F7A904FB4D6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322BD0 second address: 322BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7A90C5ABC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322D86 second address: 322DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7A904FB4D6h 0x0000000a jmp 00007F7A904FB4DDh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push esi 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007F7A904FB4E4h 0x0000001e pop esi 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 jmp 00007F7A904FB4E2h 0x00000027 jl 00007F7A904FB4D6h 0x0000002d pop eax 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3186E8 second address: 3186EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323599 second address: 3235A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3235A1 second address: 3235B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A90C5ABC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3235B7 second address: 3235D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3235D4 second address: 3235FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jng 00007F7A90C5ABB6h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32374C second address: 323770 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F7A904FB4D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323770 second address: 32377A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A90C5ABBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323A71 second address: 323AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E0h 0x00000007 jp 00007F7A904FB4D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F7A904FB4D8h 0x00000015 jng 00007F7A904FB4DEh 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jo 00007F7A904FB4DEh 0x00000024 ja 00007F7A904FB4D6h 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323AB2 second address: 323AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABC2h 0x00000009 jmp 00007F7A90C5ABBBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323AD3 second address: 323ADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323D6D second address: 323D98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBBh 0x00000007 jmp 00007F7A90C5ABC4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F7A90C5ABB6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323D98 second address: 323D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326482 second address: 326492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7A90C5ABB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326492 second address: 326496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326496 second address: 32649C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 324CDA second address: 324CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EF843 second address: 2EF84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EF84A second address: 2EF84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32EAD7 second address: 32EB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F7A90C5ABC6h 0x0000000a jmp 00007F7A90C5ABC0h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32EC5B second address: 32EC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32F1A2 second address: 32F1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F7A90C5ABCAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32F1C1 second address: 32F1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32F1C7 second address: 32F1CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32F1CB second address: 32F1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32F2F2 second address: 32F2FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 332D2F second address: 332D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3336A3 second address: 33371E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7A90C5ABBBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F7A90C5ABC9h 0x00000017 popad 0x00000018 jmp 00007F7A90C5ABBFh 0x0000001d popad 0x0000001e xchg eax, ebx 0x0000001f mov dword ptr [ebp+122D38ADh], esi 0x00000025 nop 0x00000026 jmp 00007F7A90C5ABC4h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7A90C5ABC8h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33371E second address: 333722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333722 second address: 333728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333728 second address: 33372D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333A0C second address: 333A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333C49 second address: 333C4E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3340CC second address: 33415D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7A90C5ABC5h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1E82h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F7A90C5ABB8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov si, cx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F7A90C5ABB8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f jmp 00007F7A90C5ABC4h 0x00000054 push eax 0x00000055 pushad 0x00000056 jmp 00007F7A90C5ABBAh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 335AB1 second address: 335AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 335AB5 second address: 335AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3365FB second address: 33661B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7A904FB4D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7A904FB4E2h 0x00000014 jmp 00007F7A904FB4DCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3363B5 second address: 3363B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33B675 second address: 33B67B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33F6FD second address: 33F701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33F701 second address: 33F70B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7A904FB4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33F70B second address: 33F79D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7A90C5ABC5h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F7A90C5ABB8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a push 00000000h 0x0000002c pushad 0x0000002d jmp 00007F7A90C5ABC5h 0x00000032 popad 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D3C37h] 0x0000003b xchg eax, esi 0x0000003c push edi 0x0000003d jmp 00007F7A90C5ABC8h 0x00000042 pop edi 0x00000043 push eax 0x00000044 pushad 0x00000045 jg 00007F7A90C5ABB8h 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D361 second address: 33D38D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d je 00007F7A904FB4D6h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F7A904FB4D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33F89D second address: 33F8B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33F8B4 second address: 33F8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3447B6 second address: 3447BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3447BC second address: 3447C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 342963 second address: 34296E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3447C2 second address: 3447C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34296E second address: 342972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3447C6 second address: 3447CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1414 second address: 2F1431 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A90C5ABB6h 0x00000008 jmp 00007F7A90C5ABBBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F7A90C5ABB8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1431 second address: 2F1438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344DA2 second address: 344DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 345D49 second address: 345DCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F7A904FB4D8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 xor dword ptr [ebp+122D2402h], esi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F7A904FB4D8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 xor dword ptr [ebp+122D3723h], edx 0x0000004c mov bx, cx 0x0000004f push 00000000h 0x00000051 sub dword ptr [ebp+12457119h], ecx 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F7A904FB4DEh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344ED7 second address: 344EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344F9B second address: 344FB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344FB7 second address: 344FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346C83 second address: 346C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 345EC4 second address: 345ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007F7A90C5ABBEh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346C88 second address: 346C8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346C8D second address: 346CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push edx 0x0000000b and bl, 0000004Ah 0x0000000e pop ebx 0x0000000f mov ebx, dword ptr [ebp+122D1E4Dh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F7A90C5ABB8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D280Bh], eax 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F7A90C5ABB8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 movzx ebx, bx 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 345ED4 second address: 345F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 sub di, 38A4h 0x0000000b push dword ptr fs:[00000000h] 0x00000012 add dword ptr [ebp+1245B076h], edx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F7A904FB4D8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 mov edi, dword ptr [ebp+122D3A5Bh] 0x0000003f mov eax, dword ptr [ebp+122D033Dh] 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007F7A904FB4D8h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f mov dword ptr [ebp+1245653Dh], edx 0x00000065 movsx edi, ax 0x00000068 push FFFFFFFFh 0x0000006a adc ebx, 0C3EF4A6h 0x00000070 push eax 0x00000071 push edi 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F7A904FB4E2h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346CF2 second address: 346CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346CF6 second address: 346CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346CFC second address: 346D17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007F7A90C5ABBCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 347E87 second address: 347E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 347E8C second address: 347E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 347E92 second address: 347E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 346E84 second address: 346E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 348E17 second address: 348E21 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7A904FB4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AEA6 second address: 34AEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AEAB second address: 34AED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A904FB4E3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34BE52 second address: 34BEE5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7A90C5ABC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F7A90C5ABB8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 call 00007F7A90C5ABBDh 0x0000002a call 00007F7A90C5ABC0h 0x0000002f xor dword ptr [ebp+122D1E87h], esi 0x00000035 pop ebx 0x00000036 pop edi 0x00000037 cmc 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007F7A90C5ABB8h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 xor dword ptr [ebp+12455C83h], edx 0x0000005a push 00000000h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34BEE5 second address: 34BEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4DCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34CEA4 second address: 34CEAE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7A90C5ABB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34CEAE second address: 34CF4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F7A904FB4D8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2B96h], edi 0x0000002a js 00007F7A904FB4E0h 0x00000030 jmp 00007F7A904FB4DAh 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D3723h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007F7A904FB4D8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 cmc 0x0000005a xchg eax, esi 0x0000005b jmp 00007F7A904FB4E5h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F7A904FB4E1h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 348FF7 second address: 349025 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A90C5ABB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7A90C5ABBFh 0x00000010 jmp 00007F7A90C5ABBBh 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34B073 second address: 34B0B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7A904FB4DCh 0x00000012 jmp 00007F7A904FB4E9h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34CF4E second address: 34CF53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349025 second address: 349039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C107 second address: 34C12D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7A90C5ABC1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F7A90C5ABBCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34D0DF second address: 34D0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349039 second address: 3490E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jbe 00007F7A90C5ABC8h 0x00000010 jp 00007F7A90C5ABC2h 0x00000016 jmp 00007F7A90C5ABBCh 0x0000001b or dword ptr [ebp+122D25DCh], ecx 0x00000021 push dword ptr fs:[00000000h] 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F7A90C5ABB8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov dword ptr [ebp+1245B777h], ebx 0x00000048 mov dword ptr fs:[00000000h], esp 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F7A90C5ABB8h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000017h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 mov bx, di 0x0000006c mov eax, dword ptr [ebp+122D1475h] 0x00000072 push FFFFFFFFh 0x00000074 or edi, dword ptr [ebp+122D1CB0h] 0x0000007a nop 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F7A90C5ABC2h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C12D second address: 34C133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF0D second address: 34DF13 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34D0E4 second address: 34D0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3490E7 second address: 34912A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7A90C5ABC6h 0x0000000e popad 0x0000000f push eax 0x00000010 js 00007F7A90C5ABC2h 0x00000016 je 00007F7A90C5ABBCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF13 second address: 34DF2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A904FB4E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF2B second address: 34DF2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF2F second address: 34DF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF3D second address: 34DF41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34DF41 second address: 34DF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 ja 00007F7A904FB4D6h 0x0000000e push 00000000h 0x00000010 jmp 00007F7A904FB4DEh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F7A904FB4D8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov edi, esi 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jmp 00007F7A904FB4E0h 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34EEFD second address: 34EF62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F7A90C5ABC8h 0x00000011 mov bl, 57h 0x00000013 push 00000000h 0x00000015 stc 0x00000016 push 00000000h 0x00000018 sub dword ptr [ebp+1247E5E0h], eax 0x0000001e xchg eax, esi 0x0000001f jmp 00007F7A90C5ABC2h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jc 00007F7A90C5ABB6h 0x0000002e jne 00007F7A90C5ABB6h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34EF62 second address: 34EF68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34E109 second address: 34E11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34E11A second address: 34E127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34E127 second address: 34E136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F7A90C5ABBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F190 second address: 34F1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A904FB4DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F1A0 second address: 34F1BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F1BF second address: 34F1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351027 second address: 351033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351033 second address: 351038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351038 second address: 351055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351055 second address: 351059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EDCFF second address: 2EDD12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F7A90C5ABBDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EDD12 second address: 2EDD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EDD16 second address: 2EDD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3590DB second address: 3590DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3590DF second address: 359103 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F7A90C5ABC8h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3681D5 second address: 3681D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3682F6 second address: 368326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A90C5ABC8h 0x00000008 jnp 00007F7A90C5ABB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jg 00007F7A90C5ABC0h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 368326 second address: 368336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 368336 second address: 36833B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36833B second address: 368341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 368341 second address: 368354 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jnl 00007F7A90C5ABBCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 368354 second address: 368378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7A904FB4E5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36CDAF second address: 36CDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36D5FA second address: 36D62F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7A904FB4D6h 0x00000008 jmp 00007F7A904FB4E8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F7A904FB4DFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36D62F second address: 36D64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F7A90C5ABB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DA82 second address: 36DA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DA88 second address: 36DA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DA8E second address: 36DA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DC24 second address: 36DC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F7A90C5ABBCh 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DC37 second address: 36DC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DC3D second address: 36DC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DC43 second address: 36DC49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DDEA second address: 36DE09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7A90C5ABC9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DE09 second address: 36DE0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378D0E second address: 378D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378D12 second address: 378D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F7A904FB4D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378D22 second address: 378D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3781EC second address: 3781F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3781F1 second address: 37820E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A90C5ABC7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3784A9 second address: 3784B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3784B1 second address: 3784D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7A90C5ABC7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37861C second address: 378621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378621 second address: 378626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 319324 second address: 31932A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31932A second address: 31932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378BC7 second address: 378BCE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377643 second address: 377647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F051 second address: 37F057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F057 second address: 37F06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F7A90C5ABC2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331258 second address: 3186E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7A904FB4DCh 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F7A904FB4E4h 0x00000011 lea eax, dword ptr [ebp+12487011h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F7A904FB4D8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov edx, dword ptr [ebp+122D2044h] 0x00000037 push esi 0x00000038 sub dword ptr [ebp+122D372Ah], eax 0x0000003e pop edi 0x0000003f nop 0x00000040 jmp 00007F7A904FB4E3h 0x00000045 push eax 0x00000046 push esi 0x00000047 ja 00007F7A904FB4EEh 0x0000004d pop esi 0x0000004e nop 0x0000004f movsx ecx, ax 0x00000052 call dword ptr [ebp+122D1F8Fh] 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push edx 0x0000005c pop edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33138B second address: 331397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33186D second address: 331871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331871 second address: 331877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331877 second address: 3318ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jp 00007F7A904FB4EEh 0x00000012 ja 00007F7A904FB4EBh 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7A904FB4E7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3318ED second address: 33194D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F7A90C5ABB8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 call 00007F7A90C5ABB9h 0x00000029 pushad 0x0000002a jne 00007F7A90C5ABC5h 0x00000030 push ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33194D second address: 33195E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F7A904FB4D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33195E second address: 33196D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33196D second address: 331971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331971 second address: 331997 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F7A90C5ABC0h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jbe 00007F7A90C5ABC0h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331A16 second address: 331A1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331AC5 second address: 331AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331B75 second address: 331BA2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A904FB4D8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A904FB4E1h 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push ecx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331D50 second address: 331D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 331D6B second address: 331D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 332211 second address: 332215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3323BD second address: 3323C7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A904FB4DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 332460 second address: 33246D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F7A90C5ABBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33246D second address: 3324A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D1E8Bh], edi 0x0000000c lea eax, dword ptr [ebp+12487055h] 0x00000012 jng 00007F7A904FB4DCh 0x00000018 mov dword ptr [ebp+122D25DCh], ebx 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7A904FB4E8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3324A6 second address: 3192DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007F7A90C5ABB6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F7A90C5ABC2h 0x00000013 jp 00007F7A90C5ABBCh 0x00000019 nop 0x0000001a mov edx, dword ptr [ebp+122D38FFh] 0x00000020 lea eax, dword ptr [ebp+12487011h] 0x00000026 je 00007F7A90C5ABC3h 0x0000002c call 00007F7A90C5ABBCh 0x00000031 pop ecx 0x00000032 push eax 0x00000033 je 00007F7A90C5ABD3h 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c jmp 00007F7A90C5ABC9h 0x00000041 popad 0x00000042 mov dword ptr [esp], eax 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F7A90C5ABB8h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f or dx, C664h 0x00000064 call dword ptr [ebp+122D27A9h] 0x0000006a jbe 00007F7A90C5ABF4h 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F4DE second address: 37F4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F763 second address: 37F773 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7A90C5ABB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F773 second address: 37F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F777 second address: 37F78A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A90C5ABB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F7A90C5ABB6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F931 second address: 37F937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F937 second address: 37F93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F93B second address: 37F93F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F93F second address: 37F945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37F945 second address: 37F97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7A904FB4E8h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F7A904FB4DBh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FADC second address: 37FAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F7A90C5ABBAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jnl 00007F7A90C5ABB6h 0x00000018 push esi 0x00000019 pop esi 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FAFE second address: 37FB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FCA8 second address: 37FCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABC4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FCC2 second address: 37FCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FE0B second address: 37FE2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A90C5ABC4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FE2F second address: 37FE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FE33 second address: 37FE84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7A90C5ABC5h 0x0000000c js 00007F7A90C5ABB6h 0x00000012 jmp 00007F7A90C5ABBBh 0x00000017 popad 0x00000018 popad 0x00000019 jg 00007F7A90C5ABF7h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F7A90C5ABC7h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FE84 second address: 37FE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7A904FB4E0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37FE9E second address: 37FEA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 385895 second address: 3858C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4E4h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A904FB4DEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3858C0 second address: 3858C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384B26 second address: 384B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38413D second address: 384141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384141 second address: 38417F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c ja 00007F7A904FB4D6h 0x00000012 pop ecx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007F7A904FB4E5h 0x0000001a push eax 0x0000001b push edx 0x0000001c jne 00007F7A904FB4D6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38417F second address: 384191 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F7A90C5ABB6h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384EBA second address: 384ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4DCh 0x00000009 jmp 00007F7A904FB4DDh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384ED8 second address: 384EEA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A90C5ABBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 384EEA second address: 384EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38502D second address: 385043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A90C5ABBBh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 385043 second address: 385052 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7A904FB4D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3903C3 second address: 3903C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3904EB second address: 390511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7A904FB4E2h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390511 second address: 390517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390517 second address: 390525 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3907A9 second address: 3907AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 394ECA second address: 394ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39508A second address: 3950A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3950A6 second address: 3950AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3951EB second address: 39521A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A90C5ABC2h 0x00000008 js 00007F7A90C5ABB8h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F7A90C5ABBCh 0x0000001a jng 00007F7A90C5ABB6h 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39521A second address: 395221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39635E second address: 396363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 396363 second address: 396368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 396368 second address: 396370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 397C59 second address: 397C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7A904FB4D6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push edx 0x0000000d push esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 397C70 second address: 397C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F8063 second address: 2F806D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F806D second address: 2F808E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7A90C5ABC7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F808E second address: 2F80A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A904FB4DDh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F80A1 second address: 2F80AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39A3A8 second address: 39A3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CB6 second address: 3A1D18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7A90C5ABB6h 0x00000008 jmp 00007F7A90C5ABC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F7A90C5ABBEh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jns 00007F7A90C5ABB6h 0x0000001d pushad 0x0000001e push esi 0x0000001f pop esi 0x00000020 pushad 0x00000021 popad 0x00000022 jg 00007F7A90C5ABB6h 0x00000028 popad 0x00000029 popad 0x0000002a push ecx 0x0000002b jns 00007F7A90C5ABBCh 0x00000031 push edx 0x00000032 jmp 00007F7A90C5ABC8h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39FCC4 second address: 39FCD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7A904FB4D6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39FFEA second address: 39FFFB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A90C5ABBAh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39FFFB second address: 3A0014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jo 00007F7A904FB4D6h 0x00000015 pop ebx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0BA8 second address: 3A0BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0BAE second address: 3A0BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0BB2 second address: 3A0BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F7A90C5ABC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F7A90C5ABBCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1147 second address: 3A1156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007F7A904FB4D6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1473 second address: 3A1477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1477 second address: 3A147B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A147B second address: 3A1485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1485 second address: 3A1489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A173A second address: 3A1740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A3E9B second address: 3A3E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A3E9F second address: 3A3EAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7A90C5ABB6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A3EAE second address: 3A3EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4E6h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7A904FB4DDh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A53BC second address: 3A53C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A53C0 second address: 3A53F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7A904FB4E9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A53F2 second address: 3A53FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F7A90C5ABB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8385 second address: 3A83BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7A904FB4E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F7A904FB4E2h 0x00000014 jc 00007F7A904FB4F0h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A83BB second address: 3A83D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A90C5ABC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A83D3 second address: 3A83DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A83DB second address: 3A83E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A855A second address: 3A8579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7A904FB4E5h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8579 second address: 3A8586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A90C5ABB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8586 second address: 3A858B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A87EC second address: 3A87F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A896B second address: 3A896F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A896F second address: 3A8975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8975 second address: 3A8994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7A904FB4E7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8994 second address: 3A89B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pushad 0x0000000c jp 00007F7A90C5ABB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A89B0 second address: 3A89CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A904FB4DEh 0x00000009 popad 0x0000000a jc 00007F7A904FB4DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8C76 second address: 3A8C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8C7A second address: 3A8C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8C80 second address: 3A8CB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jl 00007F7A90C5ABB6h 0x0000000b jmp 00007F7A90C5ABBEh 0x00000010 jg 00007F7A90C5ABB6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edx 0x0000001a je 00007F7A90C5ABBAh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A8CB1 second address: 3A8CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AD6D0 second address: 3AD6F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F7A90C5ABB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4654 second address: 3B465C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B47FE second address: 3B4802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B493D second address: 3B4942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4942 second address: 3B495F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B495F second address: 3B4984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007F7A904FB4D6h 0x0000000e popad 0x0000000f jl 00007F7A904FB4E3h 0x00000015 jmp 00007F7A904FB4DDh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4C44 second address: 3B4C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4C48 second address: 3B4C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4C4C second address: 3B4C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3A4B second address: 3B3A73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4DFh 0x00000007 jbe 00007F7A904FB4D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F7A904FB4DBh 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3A73 second address: 3B3AA6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A90C5ABD1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F7A90C5ABFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F7A90C5ABB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3AA6 second address: 3B3AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E1h 0x00000007 jmp 00007F7A904FB4DFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F7A904FB4D6h 0x00000016 jne 00007F7A904FB4D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C9BD4 second address: 3C9BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C9BDF second address: 3C9BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C97C3 second address: 3C97C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C97C7 second address: 3C97D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C97D0 second address: 3C97D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBF33 second address: 3CBF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBF39 second address: 3CBF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBF3D second address: 3CBF5D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A904FB4D6h 0x00000008 jmp 00007F7A904FB4E2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBF5D second address: 3CBF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBF63 second address: 3CBF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CC09B second address: 3CC0A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A90C5ABB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CC0A9 second address: 3CC0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CC0AD second address: 3CC0B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CC0B6 second address: 3CC0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5E4A second address: 3D5E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5E50 second address: 3D5E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5E54 second address: 3D5E7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7A90C5ABC1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A90C5ABBDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5E7C second address: 3D5E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5E80 second address: 3D5E86 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D4B9E second address: 3D4BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F7A904FB4EAh 0x0000000b jmp 00007F7A904FB4E2h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D4BC1 second address: 3D4BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD3C7 second address: 3DD3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD3CC second address: 3DD3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F7A90C5ABBAh 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD24B second address: 3DD262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7A904FB4E1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E6549 second address: 3E655C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E6943 second address: 3E6956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7A904FB4D6h 0x0000000a popad 0x0000000b jp 00007F7A904FB4D8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E6956 second address: 3E695B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E6AA7 second address: 3E6ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A904FB4D6h 0x0000000a pop esi 0x0000000b jng 00007F7A904FB4DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E764C second address: 3E765F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F7A90C5ABB6h 0x0000000d jno 00007F7A90C5ABB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EB27E second address: 3EB29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EB29A second address: 3EB2C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A90C5ABB6h 0x00000008 jns 00007F7A90C5ABB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 jmp 00007F7A90C5ABC8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EB2C9 second address: 3EB2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE6F8 second address: 3EE727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7A90C5ABB6h 0x0000000a popad 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f jmp 00007F7A90C5ABC8h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE727 second address: 3EE744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE5C8 second address: 3EE5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7A90C5ABB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FC4 second address: 405FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7A904FB4D6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F7A904FB4E3h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FE6 second address: 405FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FEC second address: 405FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FF2 second address: 40600D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7A90C5ABB6h 0x00000008 jno 00007F7A90C5ABB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F7A90C5ABB6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F4AA8 second address: 2F4AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F7A904FB4E0h 0x0000000b jp 00007F7A904FB4D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F4AC6 second address: 2F4ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F4ACB second address: 2F4AE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D4AC second address: 40D4B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D4B2 second address: 40D4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D4B8 second address: 40D4BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D977 second address: 40D987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F7A904FB4DAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D987 second address: 40D997 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7A90C5ABB8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D997 second address: 40D99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D99B second address: 40D99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D99F second address: 40D9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D9AC second address: 40D9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7A90C5ABB6h 0x0000000a jl 00007F7A90C5ABB6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 jmp 00007F7A90C5ABC9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410FA0 second address: 410FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 417A6B second address: 417A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A90C5ABC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419858 second address: 41985D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41985D second address: 419863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4193A4 second address: 4193D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A904FB4D6h 0x00000008 jmp 00007F7A904FB4E2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F7A904FB4DCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4125DA second address: 4125E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4125E0 second address: 4125E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411111 second address: 41111A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41111A second address: 41114E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A904FB4F1h 0x00000008 jmp 00007F7A904FB4DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41114E second address: 411158 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411158 second address: 41117E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E6h 0x00000007 js 00007F7A904FB4D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41117E second address: 411182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41130A second address: 41132A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A904FB4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41132A second address: 41132E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41132E second address: 411337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411337 second address: 41133D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41133D second address: 411342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4114AB second address: 4114E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A90C5ABC4h 0x00000007 jno 00007F7A90C5ABB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7A90C5ABC8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33569A second address: 3356A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7A904FB4D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 17DC9D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3313F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3C046B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4970000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4C10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323729 rdtsc 0_2_00323729
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5824Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362359 GetSystemInfo,VirtualAlloc,0_2_00362359
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exeBinary or memory string: \\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323729 rdtsc 0_2_00323729
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017B7EE LdrInitializeThunk,0_2_0017B7EE
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping641
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
41
Disable or Modify Tools
LSASS Memory2
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control
261
Virtualization/Sandbox Evasion
Security Account Manager261
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS23
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1560172
Start date and time:2024-11-21 14:00:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.478304815860927
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'819'072 bytes
MD5:832c9676a2a7c2ad3af65ca7c3cde743
SHA1:b773918c7b1880094b9da6153d27c9d718032df7
SHA256:0ba03d7bec04e966e7190bd15147ceda3c950a0fcd02d2c0cfe0afd51e5b5eac
SHA512:39c64a295bba8e1aab00025bd1f44b6c67e770ed34285667b4243244c90641a71a894159f7c8d9f95d757370907cbfb8f5572350a37963129a06b9f7f436282d
SSDEEP:49152:2Cgk7+lo2sSwASoOt7sEBR8vWJVTAGzeEMJc05:rgk7+lo2sS5S57sErqWJhHyEMJc
TLSH:47D54AAAB50D71CBD48E23788567CD86697D42F9472108C3A82E7CBD7FA3CC115B6C26
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................+.....$G+...`................................
Icon Hash:90cececece8e8eb0
Entrypoint:0x6b8000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b
Instruction
jmp 00007F7A907C1DDAh
psrad mm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12003f41fff97c587945ffa00de13c9990b4False0.9331597222222222data7.79338871556311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ssbqmpcp0xa0000x2ac0000x2aa4002ca505615633f92bb9f41a6f533faa9funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iyzbxbnx0x2b60000x20000x400775f961d7d0b6207427bc9e0860126e9False0.8095703125data6.256613378409872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b80000x40000x22009b0b5b315402bb0fdfeaae221dccbd52False0.05514705882352941DOS executable (COM)0.6193635149757214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
DLLImport
kernel32.dlllstrcpy
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:08:01:01
Start date:21/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x170000
File size:2'819'072 bytes
MD5 hash:832C9676A2A7C2AD3AF65CA7C3CDE743
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Reset < >

    Execution Graph

    Execution Coverage:4.9%
    Dynamic/Decrypted Code Coverage:3.4%
    Signature Coverage:6.1%
    Total number of Nodes:264
    Total number of Limit Nodes:18
    execution_graph 8097 35ce30 8098 35ce4e 8097->8098 8100 35ce8b 8098->8100 8101 35c7f7 8098->8101 8102 35c804 8101->8102 8103 35c83d CreateFileA 8102->8103 8106 35c8ff 8102->8106 8104 35c889 8103->8104 8104->8106 8107 35c6ba CloseHandle 8104->8107 8106->8100 8108 35c6ce 8107->8108 8108->8106 8341 35c410 8343 35c41c 8341->8343 8344 35c430 8343->8344 8346 35c458 8344->8346 8347 35c471 8344->8347 8349 35c47a 8347->8349 8350 35c489 8349->8350 8351 35c491 8350->8351 8352 35a8a1 GetCurrentThreadId 8350->8352 8354 35c534 GetModuleHandleW 8351->8354 8355 35c542 GetModuleHandleA 8351->8355 8353 35c49b 8352->8353 8356 35c4b6 8353->8356 8357 35afb3 2 API calls 8353->8357 8358 35c4c9 8354->8358 8355->8358 8356->8351 8356->8358 8357->8356 8109 181a5f 8110 181a73 8109->8110 8112 1806cf 8109->8112 8111 18070f 8112->8111 8114 3624fa 8112->8114 8115 362508 8114->8115 8116 362528 8115->8116 8118 3627ca 8115->8118 8116->8111 8119 3627da 8118->8119 8121 3627fd 8118->8121 8119->8121 8122 362bc4 8119->8122 8121->8115 8125 362bcb 8122->8125 8124 362c15 8124->8121 8125->8124 8127 362ad2 8125->8127 8131 362d85 8125->8131 8130 362ae7 8127->8130 8128 362ba7 8128->8125 8129 362b71 GetModuleFileNameA 8129->8130 8130->8128 8130->8129 8134 362d99 8131->8134 8132 362db1 8132->8125 8133 362ed4 VirtualProtect 8133->8134 8134->8132 8134->8133 8359 2ffc48 LoadLibraryA 8360 2ffc57 8359->8360 8135 30d1ba 8136 30d871 LoadLibraryA 8135->8136 8138 3104e5 8136->8138 8139 49b1510 8140 49b1558 ControlService 8139->8140 8141 49b158f 8140->8141 8142 17e69c 8143 17ea6f VirtualAlloc 8142->8143 8145 303ffc 8146 304003 CreateFileA 8145->8146 8148 30405d 8145->8148 8149 304032 8146->8149 8150 30e0fc 8151 30f732 8150->8151 8152 30f783 RegOpenKeyA 8151->8152 8153 30f75c RegOpenKeyA 8151->8153 8155 30f7a0 8152->8155 8153->8152 8154 30f779 8153->8154 8154->8152 8156 30f7e4 GetNativeSystemInfo 8155->8156 8157 30f7ef 8155->8157 8156->8157 8158 35c6f9 8159 35c723 8158->8159 8160 35c7b6 8159->8160 8162 35c6e1 8159->8162 8165 35a74c 8162->8165 8166 35a762 8165->8166 8167 35a77c 8166->8167 8169 35a730 8166->8169 8167->8160 8170 35c6ba CloseHandle 8169->8170 8171 35a740 8170->8171 8171->8167 8361 35c0d9 8364 35bf19 8361->8364 8366 35bf25 8364->8366 8367 35bf3a 8366->8367 8368 35bf67 15 API calls 8367->8368 8369 35bf58 8367->8369 8368->8369 8172 35c0b8 8175 35bf00 8172->8175 8178 35bf67 8175->8178 8180 35bf74 8178->8180 8181 35bf8a 8180->8181 8190 35bf92 8181->8190 8195 35a8a1 GetCurrentThreadId 8181->8195 8183 35c072 8187 35c090 LoadLibraryExA 8183->8187 8188 35c07c LoadLibraryExW 8183->8188 8184 35c05f 8217 35bd9f 8184->8217 8185 35bfb4 8197 35afb3 8185->8197 8194 35c036 8187->8194 8188->8194 8190->8183 8190->8184 8192 35bff3 8201 35b8df 8192->8201 8196 35a8b9 8195->8196 8196->8185 8198 35afc4 8197->8198 8199 35b001 8197->8199 8198->8199 8221 35ae54 8198->8221 8199->8190 8199->8192 8202 35b905 8201->8202 8203 35b8fb 8201->8203 8241 35b132 8202->8241 8203->8194 8210 35b955 8211 35b982 8210->8211 8216 35b9ba 8210->8216 8251 35b310 8210->8251 8255 35b5ab 8211->8255 8214 35b98d 8214->8216 8260 35b522 8214->8260 8216->8203 8264 35c0f1 8216->8264 8218 35bdaa 8217->8218 8219 35bdcb LoadLibraryExA 8218->8219 8220 35bdba 8218->8220 8219->8220 8220->8194 8223 35ae81 8221->8223 8222 35af87 8222->8198 8223->8222 8224 35aeaf PathAddExtensionA 8223->8224 8225 35aeca 8223->8225 8224->8225 8231 35aeec 8225->8231 8233 35aaf5 8225->8233 8227 35af35 8227->8222 8228 35af5e 8227->8228 8230 35aaf5 lstrcmpiA 8227->8230 8228->8222 8232 35aaf5 lstrcmpiA 8228->8232 8229 35aaf5 lstrcmpiA 8229->8227 8230->8228 8231->8222 8231->8227 8231->8229 8232->8222 8234 35ab13 8233->8234 8235 35ab2a 8234->8235 8237 35aa72 8234->8237 8235->8231 8239 35aa9d 8237->8239 8238 35aae5 8238->8235 8239->8238 8240 35aacf lstrcmpiA 8239->8240 8240->8238 8242 35b14e 8241->8242 8244 35b1a7 8241->8244 8243 35b17e VirtualAlloc 8242->8243 8242->8244 8243->8244 8244->8203 8245 35b1d8 VirtualAlloc 8244->8245 8246 35b21d 8245->8246 8246->8216 8247 35b255 8246->8247 8250 35b27d 8247->8250 8248 35b2f4 8248->8210 8249 35b296 VirtualAlloc 8249->8248 8249->8250 8250->8248 8250->8249 8253 35b330 8251->8253 8254 35b32b 8251->8254 8252 35b363 lstrcmpiA 8252->8253 8252->8254 8253->8252 8253->8254 8254->8211 8257 35b6b7 8255->8257 8258 35b5d8 8255->8258 8257->8214 8258->8257 8266 35b0bd 8258->8266 8274 35c1ce 8258->8274 8262 35b54b 8260->8262 8261 35b563 VirtualProtect 8261->8262 8263 35b58c 8261->8263 8262->8261 8262->8263 8263->8216 8299 35c0fd 8264->8299 8267 35bf00 15 API calls 8266->8267 8268 35b0d0 8267->8268 8269 35b122 8268->8269 8271 35b0f9 8268->8271 8273 35b116 8268->8273 8270 35c0f1 2 API calls 8269->8270 8270->8273 8272 35c0f1 2 API calls 8271->8272 8271->8273 8272->8273 8273->8258 8276 35c1d7 8274->8276 8277 35c1e6 8276->8277 8279 35a8a1 GetCurrentThreadId 8277->8279 8281 35c1ee 8277->8281 8278 35c21b GetProcAddress 8284 35c211 8278->8284 8280 35c1f8 8279->8280 8280->8281 8282 35c208 8280->8282 8281->8278 8285 35bc2f 8282->8285 8286 35bc4e 8285->8286 8290 35bd1b 8285->8290 8287 35bc8b lstrcmpiA 8286->8287 8288 35bcb5 8286->8288 8286->8290 8287->8286 8287->8288 8288->8290 8291 35bb78 8288->8291 8290->8284 8293 35bb89 8291->8293 8292 35bc14 8292->8290 8293->8292 8294 35bbb9 lstrcpyn 8293->8294 8294->8292 8296 35bbd5 8294->8296 8295 35b0bd 14 API calls 8297 35bc03 8295->8297 8296->8292 8296->8295 8297->8292 8298 35c1ce 14 API calls 8297->8298 8298->8292 8300 35c10c 8299->8300 8301 35c114 8300->8301 8303 35a8a1 GetCurrentThreadId 8300->8303 8302 35c162 FreeLibrary 8301->8302 8304 35c149 8302->8304 8305 35c11e 8303->8305 8305->8301 8306 35c12e 8305->8306 8308 35badf 8306->8308 8309 35bb02 8308->8309 8311 35bb42 8308->8311 8309->8311 8312 35a69b 8309->8312 8311->8304 8313 35a6a4 8312->8313 8314 35a6bc 8313->8314 8316 35a682 8313->8316 8314->8311 8317 35c0f1 2 API calls 8316->8317 8318 35a68f 8317->8318 8318->8313 8370 362359 GetSystemInfo 8371 3623b7 VirtualAlloc 8370->8371 8372 362379 8370->8372 8385 3626a5 8371->8385 8372->8371 8374 3623fe 8375 3626a5 VirtualAlloc GetModuleFileNameA VirtualProtect 8374->8375 8384 3624d3 8374->8384 8377 362428 8375->8377 8376 3624ef GetModuleFileNameA VirtualProtect 8378 362497 8376->8378 8379 3626a5 VirtualAlloc GetModuleFileNameA VirtualProtect 8377->8379 8377->8384 8380 362452 8379->8380 8381 3626a5 VirtualAlloc GetModuleFileNameA VirtualProtect 8380->8381 8380->8384 8382 36247c 8381->8382 8382->8378 8383 3626a5 VirtualAlloc GetModuleFileNameA VirtualProtect 8382->8383 8382->8384 8383->8384 8384->8376 8384->8378 8387 3626ad 8385->8387 8388 3626c1 8387->8388 8389 3626d9 8387->8389 8395 362571 8388->8395 8391 362571 2 API calls 8389->8391 8392 3626ea 8391->8392 8397 3626fc 8392->8397 8400 362579 8395->8400 8398 36270d VirtualAlloc 8397->8398 8399 3626f8 8397->8399 8398->8399 8401 36258c 8400->8401 8402 3625cf 8401->8402 8403 362bc4 2 API calls 8401->8403 8403->8402 8321 49b1308 8322 49b1349 ImpersonateLoggedOnUser 8321->8322 8323 49b1376 8322->8323 8324 49b0d48 8325 49b0d93 OpenSCManagerW 8324->8325 8327 49b0ddc 8325->8327 8404 17b9a2 8405 17b94e LdrInitializeThunk 8404->8405 8406 17b9a8 8404->8406 8405->8404 8328 35c563 8329 35a8a1 GetCurrentThreadId 8328->8329 8330 35c56f 8329->8330 8331 35c58d 8330->8331 8332 35afb3 2 API calls 8330->8332 8333 35c5be GetModuleHandleExA 8331->8333 8334 35c595 8331->8334 8332->8331 8333->8334 8407 32670b 8408 32671b CloseHandle 8407->8408 8409 326729 8408->8409 8335 323729 CloseHandle 8336 32373e 8335->8336 8337 3041ec 8338 3041f8 CreateFileA 8337->8338 8340 304210 8338->8340 8410 17e528 8411 17eabb VirtualAlloc 8410->8411 8413 17f5e3 8411->8413 8414 303ecf 8415 303ee3 8414->8415 8416 304032 8414->8416 8417 303f41 8415->8417 8420 303fa1 CreateFileA 8415->8420 8417->8415 8419 303f89 8417->8419 8422 303f9a 8417->8422 8419->8420 8420->8416 8423 303fa1 CreateFileA 8422->8423 8425 304032 8423->8425

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 135 362359-362373 GetSystemInfo 136 3623b7-362400 VirtualAlloc call 3626a5 135->136 137 362379-3623b1 135->137 141 3624e6-3624eb call 3624ef 136->141 142 362406-36242a call 3626a5 136->142 137->136 149 3624ed-3624ee 141->149 142->141 148 362430-362454 call 3626a5 142->148 148->141 152 36245a-36247e call 3626a5 148->152 152->141 155 362484-362491 152->155 156 3624b7-3624ce call 3626a5 155->156 157 362497-3624b2 155->157 159 3624d3-3624d5 156->159 162 3624e1 157->162 159->141 161 3624db 159->161 161->162 162->149
    APIs
    • GetSystemInfo.KERNELBASE(?,-12155FEC), ref: 00362365
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 003623C6
    Memory Dump Source
    • Source File: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: d92441dda40ebcc17e58de670f27490cebbfea7e76bbd676c9b57850fe70d2c7
    • Instruction ID: 1fa56b4975af884986d562da24d1c577257f1113b239dbc99684794f49705fdb
    • Opcode Fuzzy Hash: d92441dda40ebcc17e58de670f27490cebbfea7e76bbd676c9b57850fe70d2c7
    • Instruction Fuzzy Hash: CE4122B2D00606AFF32ECF64CD45F9677BCFB08741F054066A643DE486EAB095D48BA4
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 8937e3189fae29c7b616c06211ad5a3ff4866afffcec919814a1a8f1e0a1bcd6
    • Instruction ID: b79a6984de8a73e35fc26542421e152c55793606fa9bb1b25f70d6c6cc6aae27
    • Opcode Fuzzy Hash: 8937e3189fae29c7b616c06211ad5a3ff4866afffcec919814a1a8f1e0a1bcd6
    • Instruction Fuzzy Hash: A731C2F250C614AFD301AE1DDD40A7AF7E9EF94760F2A892DE5C4D3B00E63499818B93
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: b94eac7dc3a08a13128b225fc0100b86fb99f3a198fca86cf0b7ba3ebcc0e0e0
    • Instruction ID: 8ee84f7f798565ee03ecdf1050ef5c829de481a2c1236181945f6bcd63eb9295
    • Opcode Fuzzy Hash: b94eac7dc3a08a13128b225fc0100b86fb99f3a198fca86cf0b7ba3ebcc0e0e0
    • Instruction Fuzzy Hash: ECE0C2B118C589CACF169F20C88179EB62DDB65704F508116FB2D9AE85CB2D4C21875A

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0035C085
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0035C099
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 941c3411b818b94fd560fd3e6439162268b82b83a17609fec2f95463f26bebd1
    • Instruction ID: eca5a99fdbaadfdeb653909138247ed1df1ff6a92b9da70a0b1ed68011d2ac21
    • Opcode Fuzzy Hash: 941c3411b818b94fd560fd3e6439162268b82b83a17609fec2f95463f26bebd1
    • Instruction Fuzzy Hash: 6D314771404209EFCF26AF64D804EAEBB79FF04356F119125FC069B5B1C73199A8EBA1

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 39 35c47a-35c48b call 35bdde 42 35c496-35c49f call 35a8a1 39->42 43 35c491 39->43 49 35c4a5-35c4b1 call 35afb3 42->49 50 35c4d3-35c4da 42->50 45 35c52a-35c52e 43->45 47 35c534-35c53d GetModuleHandleW 45->47 48 35c542-35c545 GetModuleHandleA 45->48 51 35c54b 47->51 48->51 56 35c4b6-35c4b8 49->56 54 35c525 call 35a94c 50->54 55 35c4e0-35c4e7 50->55 53 35c555-35c557 51->53 54->45 55->54 57 35c4ed-35c4f4 55->57 56->54 59 35c4be-35c4c3 56->59 57->54 60 35c4fa-35c501 57->60 59->54 61 35c4c9-35c550 call 35a94c 59->61 60->54 62 35c507-35c51b 60->62 61->53 62->54
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0035C40C,?,00000000,00000000), ref: 0035C537
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0035C40C,?,00000000,00000000), ref: 0035C545
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: cd00f02837f0afa3c4679606e298e99a45c909ad55efb277e1f8675c100e9f72
    • Instruction ID: ce33285301bc53a121c02f5defeb83ad47a96cec169b1aabd8ad9b0064ba152b
    • Opcode Fuzzy Hash: cd00f02837f0afa3c4679606e298e99a45c909ad55efb277e1f8675c100e9f72
    • Instruction Fuzzy Hash: FB115170114706EFDB339F55C808FA876B5BF0134BF569615EC02488F0E7B5AAD8DA91

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 66 30e0fc-30f75a 69 30f783-30f79e RegOpenKeyA 66->69 70 30f75c-30f777 RegOpenKeyA 66->70 71 30f7a0-30f7aa 69->71 72 30f7b6-30f7e2 69->72 70->69 73 30f779 70->73 71->72 76 30f7e4-30f7ed GetNativeSystemInfo 72->76 77 30f7ef-30f7f9 72->77 73->69 76->77 78 30f805-30f813 77->78 79 30f7fb 77->79 81 30f815 78->81 82 30f81f-30f826 78->82 79->78 81->82 83 30f839 82->83 84 30f82c-30f833 82->84 83->83 84->83
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0030F76F
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0030F796
    • GetNativeSystemInfo.KERNELBASE(?), ref: 0030F7ED
    Memory Dump Source
    • Source File: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 005c28f1f829449669a72b3488b8131e414eea14cf3425206c1f7b462668bc76
    • Instruction ID: 7b7cd3a4d44ef6b59596e502d4375423b0b7cee04735f83be5f56f1976bd8e69
    • Opcode Fuzzy Hash: 005c28f1f829449669a72b3488b8131e414eea14cf3425206c1f7b462668bc76
    • Instruction Fuzzy Hash: AD2139B150510E9FEF22DF50C9487EE36A9EF04304F004426EA0686E80D7B64CA4DF5E

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 35ae54-35ae84 87 35afaf-35afb0 85->87 88 35ae8a-35ae9f 85->88 88->87 90 35aea5-35aea9 88->90 91 35aeaf-35aec1 PathAddExtensionA 90->91 92 35aecb-35aed2 90->92 95 35aeca 91->95 93 35aef4-35aefb 92->93 94 35aed8-35aee7 call 35aaf5 92->94 97 35af01-35af08 93->97 98 35af3d-35af44 93->98 101 35aeec-35aeee 94->101 95->92 102 35af21-35af30 call 35aaf5 97->102 103 35af0e-35af17 97->103 99 35af66-35af6d 98->99 100 35af4a-35af60 call 35aaf5 98->100 106 35af73-35af89 call 35aaf5 99->106 107 35af8f-35af96 99->107 100->87 100->99 101->87 101->93 109 35af35-35af37 102->109 103->102 108 35af1d 103->108 106->87 106->107 107->87 112 35af9c-35afa9 call 35ab2e 107->112 108->102 109->87 109->98 112->87
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0035AEB6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: e155c5e490659f39384258a600dae922e1f6289d1f74f7944003f76c6e87a911
    • Instruction ID: c777bbd94bf43cd180398f7519fd0e04960f76ffa970c6d429d6f0d509810ffb
    • Opcode Fuzzy Hash: e155c5e490659f39384258a600dae922e1f6289d1f74f7944003f76c6e87a911
    • Instruction Fuzzy Hash: F4314C75500A0ABFDF22DF94CC49F9E7B76BF08742F010251FD01A90A0E7729AA9EB55

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 116 35c563-35c576 call 35a8a1 119 35c57c-35c588 call 35afb3 116->119 120 35c5b9-35c5cd call 35a94c GetModuleHandleExA 116->120 123 35c58d-35c58f 119->123 126 35c5d7-35c5d9 120->126 123->120 125 35c595-35c59c 123->125 127 35c5a5-35c5d2 call 35a94c 125->127 128 35c5a2 125->128 127->126 128->127
    APIs
      • Part of subcall function 0035A8A1: GetCurrentThreadId.KERNEL32 ref: 0035A8B0
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0035C5C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 1145e71a8391055f5ee96766ebe8e33a2a5ed25fe9b7ef33989b8cd841612497
    • Instruction ID: 7958c52853d6bb53685c1749f24b8a1857841c714841ed60d2faf42d5ef17770
    • Opcode Fuzzy Hash: 1145e71a8391055f5ee96766ebe8e33a2a5ed25fe9b7ef33989b8cd841612497
    • Instruction Fuzzy Hash: 46F0F0B1100709AFCB029F95C845EA93BB4BF0831AF528111FE0289471D731D968AB62

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 131 3238bc-3238c0 CloseHandle 132 3238c6-323a48 131->132
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: -
    • API String ID: 2962429428-1573137800
    • Opcode ID: 325eb23887c28f069ac546264708fc20532e9dfe9e0c2d3f6c13665aca1f40ad
    • Instruction ID: 054280b6dc54fe60db2abece22a00adc8f8d315ac2f5b76cb69d433fe0463d27
    • Opcode Fuzzy Hash: 325eb23887c28f069ac546264708fc20532e9dfe9e0c2d3f6c13665aca1f40ad
    • Instruction Fuzzy Hash: F9415AB250C304AFE341AF68EC8667AFBE9EF94360F164C2DE6C4C6610D77598849B53

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 179 362d85-362d93 180 362db6-362dc0 call 362c1a 179->180 181 362d99-362dab 179->181 186 362dc6 180->186 187 362dcb-362dd4 180->187 181->180 185 362db1 181->185 188 362f15-362f17 185->188 186->188 189 362dec-362df3 187->189 190 362dda-362de1 187->190 192 362dfe-362e0e 189->192 193 362df9 189->193 190->189 191 362de7 190->191 191->188 192->188 194 362e14-362e20 call 362cef 192->194 193->188 197 362e23-362e27 194->197 197->188 198 362e2d-362e37 197->198 199 362e5e-362e61 198->199 200 362e3d-362e50 198->200 201 362e64-362e67 199->201 200->199 207 362e56-362e58 200->207 203 362f0d-362f10 201->203 204 362e6d-362e74 201->204 203->197 205 362ea2-362ebb 204->205 206 362e7a-362e80 204->206 213 362ed4-362edc VirtualProtect 205->213 214 362ec1-362ecf 205->214 208 362e86-362e8b 206->208 209 362e9d 206->209 207->199 207->203 208->209 210 362e91-362e97 208->210 211 362f05-362f08 209->211 210->205 210->209 211->201 215 362ee2-362ee5 213->215 214->215 215->211 217 362eeb-362f04 215->217 217->211
    Memory Dump Source
    • Source File: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c0e45171aa8b4612a2f289ec94f6f9ed73dccd4e1a9db764ecc80970952da4b9
    • Instruction ID: 4a82677170709e137507d30d1c99488129d0ef2ae14ed4de5bdd35b39dace40c
    • Opcode Fuzzy Hash: c0e45171aa8b4612a2f289ec94f6f9ed73dccd4e1a9db764ecc80970952da4b9
    • Instruction Fuzzy Hash: C9418B71900A0AEFDB2ACF10C948BAF7BB5FF04310F27C465E952AA595C372AC90DB51

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 219 303ecf-303edd 220 303ee3-303eee 219->220 221 30425e-30439d call 30426b 219->221 223 303ef4 220->223 224 303f09-303f32 220->224 229 3043a3 221->229 230 3043a9-3043b6 221->230 223->224 231 303f45-303f7c 224->231 229->230 232 3043c1-3043d5 230->232 233 3043b8-3043bf 230->233 236 303fa1-304006 231->236 237 303f82-303f87 call 303f9a 231->237 235 3043d6-3043e5 call 3043e8 232->235 233->232 233->235 247 30400c-30400d 236->247 248 30400e-30402c CreateFileA 236->248 245 303f41-303f44 237->245 246 303f89-303fa0 237->246 245->231 246->236 247->248 248->221 250 304032-304034 248->250 251 30403a 250->251 252 304035 call 30403d 250->252 252->251
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c080b28e72e12c15fea0322fb03cde0d204fdf479ac4aacdab9f49a68efe6953
    • Instruction ID: 78e4fdaa67db7ff80fbcee3ef5b12b92de79a8e42b8db940815365573d730927
    • Opcode Fuzzy Hash: c080b28e72e12c15fea0322fb03cde0d204fdf479ac4aacdab9f49a68efe6953
    • Instruction Fuzzy Hash: 1121D5F668E357ADF7428F149A61AFE7BACE7C1730F20402AF941968C1D2A15E059A24

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 253 35c7f7-35c806 call 35a97f 256 35c90c 253->256 257 35c80c-35c81d call 35c7bd 253->257 259 35c913-35c917 256->259 261 35c823-35c827 257->261 262 35c83d-35c883 CreateFileA 257->262 263 35c82d-35c839 call 361845 261->263 264 35c83a 261->264 265 35c8ce-35c8d1 262->265 266 35c889-35c8aa 262->266 263->264 264->262 268 35c904-35c907 call 35c64c 265->268 269 35c8d7-35c8ee call 35a6c1 265->269 266->265 275 35c8b0-35c8cd 266->275 268->256 269->259 276 35c8f4-35c8ff call 35c6ba 269->276 275->265 276->256
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0035C879
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 34be4a47d66e678e2e0bd43c3d2ee7b284befe36ef11467492c8145e492a8026
    • Instruction ID: daad57d9d1cbe046ae83455d2847604c4dfcac0fe1fa2b0d97d04e2035065392
    • Opcode Fuzzy Hash: 34be4a47d66e678e2e0bd43c3d2ee7b284befe36ef11467492c8145e492a8026
    • Instruction Fuzzy Hash: 3731D271600308BFEB219F64DC45F99B7B8FB04729F218265FA11EE0E1D7B2A646CB54

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 280 303f11-303f32 283 303f45-303f7c 280->283 285 303fa1-304006 283->285 286 303f82-303f87 call 303f9a 283->286 293 30400c-30400d 285->293 294 30400e-30402c CreateFileA 285->294 291 303f41-303f44 286->291 292 303f89-303fa0 286->292 291->283 292->285 293->294 296 304032-304034 294->296 297 30425e-30439d call 30426b 294->297 299 30403a 296->299 300 304035 call 30403d 296->300 303 3043a3 297->303 304 3043a9-3043b6 297->304 300->299 303->304 305 3043c1-3043d5 304->305 306 3043b8-3043bf 304->306 307 3043d6-3043e5 call 3043e8 305->307 306->305 306->307
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3b3406896c11d13a448df52ef750ef6ea2fd1d36afee7428e23d40635000e42d
    • Instruction ID: 6080d07c7c764b7bbec073851389be12676d21781122b6cd8c97cbdaf28aa511
    • Opcode Fuzzy Hash: 3b3406896c11d13a448df52ef750ef6ea2fd1d36afee7428e23d40635000e42d
    • Instruction Fuzzy Hash: 7E2128F658E306AEF7028F149D61AFE7B7CEBC1774F31401AF9419A8C2D3A01E059664

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 311 303f37-303f42 312 303f33-303f36 311->312 313 303f44 311->313 312->311 314 303f45-303f7c 313->314 316 303fa1-304006 314->316 317 303f82-303f87 call 303f9a 314->317 324 30400c-30400d 316->324 325 30400e-30402c CreateFileA 316->325 322 303f41-303f44 317->322 323 303f89-303fa0 317->323 322->314 323->316 324->325 327 304032-304034 325->327 328 30425e-30439d call 30426b 325->328 330 30403a 327->330 331 304035 call 30403d 327->331 334 3043a3 328->334 335 3043a9-3043b6 328->335 331->330 334->335 336 3043c1-3043d5 335->336 337 3043b8-3043bf 335->337 338 3043d6-3043e5 call 3043e8 336->338 337->336 337->338
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0c2b172c7e243f228a75406ee5e67b1b5d23c914ab91e60b029c7e457ab16d41
    • Instruction ID: 1d339f4de4d9327a361121321e1b74ce6d54de1b579bf5de263569c81b3310cc
    • Opcode Fuzzy Hash: 0c2b172c7e243f228a75406ee5e67b1b5d23c914ab91e60b029c7e457ab16d41
    • Instruction Fuzzy Hash: 19210AB669A306AEF7028F248D61AFE776CE7C1730F20401AF5018B8C1D3A15F158664

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 342 303f07-303f32 345 303f45-303f7c 342->345 347 303fa1-304006 345->347 348 303f82-303f87 call 303f9a 345->348 355 30400c-30400d 347->355 356 30400e-30402c CreateFileA 347->356 353 303f41-303f44 348->353 354 303f89-303fa0 348->354 353->345 354->347 355->356 358 304032-304034 356->358 359 30425e-30439d call 30426b 356->359 361 30403a 358->361 362 304035 call 30403d 358->362 365 3043a3 359->365 366 3043a9-3043b6 359->366 362->361 365->366 367 3043c1-3043d5 366->367 368 3043b8-3043bf 366->368 369 3043d6-3043e5 call 3043e8 367->369 368->367 368->369
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 541de5e0a31930827131b8760283c9864646ef08196429923a555ac2623ad304
    • Instruction ID: 9984b3acb22af52cd5aa322d3e80f07f61ebb6f407f2d57cfd2b405a415576d9
    • Opcode Fuzzy Hash: 541de5e0a31930827131b8760283c9864646ef08196429923a555ac2623ad304
    • Instruction Fuzzy Hash: 3911D5F668E206ADF7028F149E61AFE776CE7C1734F30402AF9019ACC0D2A15F059A64
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 37cfa1c78dfd7c2f59d592f664e8d643c710d9b61347c45412dd98e006c18804
    • Instruction ID: a550e2456688c6b6f0f7cf925dd6f272db18cd958c36ff341e028eaea5780563
    • Opcode Fuzzy Hash: 37cfa1c78dfd7c2f59d592f664e8d643c710d9b61347c45412dd98e006c18804
    • Instruction Fuzzy Hash: 79113FF628D2467DF7038F149D61AFA7BADE7C1734F304069F9819A8C1D3611E069634
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00362B7F
    Memory Dump Source
    • Source File: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 44662177992f926c45f35ba1343c31da4f55e000d718560232e220091b42b5d9
    • Instruction ID: 068ee8bf20de33bae8fd1f417b844c77ce001b015070c3b3e63b8e515f4f1762
    • Opcode Fuzzy Hash: 44662177992f926c45f35ba1343c31da4f55e000d718560232e220091b42b5d9
    • Instruction Fuzzy Hash: D5118171A01A259FEB329E04CC48BEF7B7CEF44751F13C0A5E805B7049DBB49D818AA1
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1f29905bdea31f2ea3b7ff6abfd55fe1d181548b3047b1e017d9576dca8a89f0
    • Instruction ID: b58fcca1e52157ed7c6b1986db01077c19e4ede751fba78eb18ad2b31e89e330
    • Opcode Fuzzy Hash: 1f29905bdea31f2ea3b7ff6abfd55fe1d181548b3047b1e017d9576dca8a89f0
    • Instruction Fuzzy Hash: 0D01D6F254F2296DE626DE105D31BBBB21CDB91330F31842AF701FA4C1D1911F195628
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049B0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 848a5d0b41d115ddec829825c252f74452ea73f03e990de1f0717d439a065b7f
    • Instruction ID: d4cd1d828903a7dfd50fd908c669db90252ff420f2082c2f62e23059decc2c11
    • Opcode Fuzzy Hash: 848a5d0b41d115ddec829825c252f74452ea73f03e990de1f0717d439a065b7f
    • Instruction Fuzzy Hash: 202115B6C013189FCB50DF99D984ADEFBF4FB88310F15862AE908AB345D734A544CBA5
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049B0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: a26b7dc67af78d984bca02b2bd389b97178f675e7c48d1e0e6e9b38bf8714a4e
    • Instruction ID: f73d6886c267d2e760c080756dd0539583a9bbf2283549cd3a632928e5bf8d84
    • Opcode Fuzzy Hash: a26b7dc67af78d984bca02b2bd389b97178f675e7c48d1e0e6e9b38bf8714a4e
    • Instruction Fuzzy Hash: 512104B6900309CFCB54CF99D584ADEFBF5FB88310F15866AD948AB244D734A544CBA4
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c05206a35b6b0907f500e474ea29022654dc54ba76599382d8ed7f0a618e238d
    • Instruction ID: 5ce7d903b950243b6f94c3b6f7b1864f5824ababf7b5cb1a91de630caf7e5061
    • Opcode Fuzzy Hash: c05206a35b6b0907f500e474ea29022654dc54ba76599382d8ed7f0a618e238d
    • Instruction Fuzzy Hash: 1E0184F728A21A6DF302CE459E61AFE776DE7C1774F30802AF901DA881D3914E055574
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 049B1580
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 1064dffe1fa8b3849114a8f003712b003e61400d6d2a633db59baa6bc18a9eb2
    • Instruction ID: 48ef6926c4b0705e88bcb52f0ee4532117341fa5389ce3dffcb1af04a1a4060f
    • Opcode Fuzzy Hash: 1064dffe1fa8b3849114a8f003712b003e61400d6d2a633db59baa6bc18a9eb2
    • Instruction Fuzzy Hash: 1411E4B19003499FDB10DF9AD585BDEFBF4EB48320F10842AE959A3350D778A644CFA5
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 049B1580
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: db2583cafc6a6ad04954a41ec1816d5a2665eacf23478e8c0d9a06ddc5714ad8
    • Instruction ID: d45da1b067bb0a08c0723cee3035f2a38c36d54e04352cc46659793a02168a0f
    • Opcode Fuzzy Hash: db2583cafc6a6ad04954a41ec1816d5a2665eacf23478e8c0d9a06ddc5714ad8
    • Instruction Fuzzy Hash: 952100B59003098FDB10CF9AD585BDEBBF4AB48320F10842AE959A7250D778AA44CFA5
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304208
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e5898efaed3dcf1edec72a83b55a9c51f7f42102588cbb82c21f1f823dfc421d
    • Instruction ID: 68a6c3845c79f7d93b700812fb6762fb1a32b5d6b67337319b30374c35e7ba0e
    • Opcode Fuzzy Hash: e5898efaed3dcf1edec72a83b55a9c51f7f42102588cbb82c21f1f823dfc421d
    • Instruction Fuzzy Hash: DA01C0B164520E9FCB16DF68D8307DE37A9EB84320F10586AE915CBEC1D7720E609F68
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304023
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5db6f6164c2af86a2178169794bd8189d2c3b6f442df8f7010549a2a42e1ff5a
    • Instruction ID: 33890b4fb13da4abec539e1de3c89622567dfb8524d651d32366c1deeb274101
    • Opcode Fuzzy Hash: 5db6f6164c2af86a2178169794bd8189d2c3b6f442df8f7010549a2a42e1ff5a
    • Instruction Fuzzy Hash: 87F0F6F718E2166DF311CE44AEA1DFAA39CE6C2734B30802AEA02EB8C1D2910E095074
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 049B1367
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 5d54b73a979582cb7290454502e85ad649171c25fe6cfb22fec0460783748bf4
    • Instruction ID: 107676c3ff43b5216266414c2b29d2b62bc0a3db42f3823330ecdf6f3cfe8344
    • Opcode Fuzzy Hash: 5d54b73a979582cb7290454502e85ad649171c25fe6cfb22fec0460783748bf4
    • Instruction Fuzzy Hash: 1A1125B1800349CFDB10DF9AD545BEEFBF4EB48320F10842AD598A3240D778A544CFA5
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304208
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6b92f86fc9688c969ea20eaf0fe81acb92d39329dde0b879c38138e5a6c3cd80
    • Instruction ID: 8a388d98c1d0d6bec36eb21f4945699de1888f07ba08fc3ca61f753d5c40b5bb
    • Opcode Fuzzy Hash: 6b92f86fc9688c969ea20eaf0fe81acb92d39329dde0b879c38138e5a6c3cd80
    • Instruction Fuzzy Hash: 40019EF164621E9FCB1ADF1888307EE3699EB54320F20582AEA15C7DC2D7724E609B58
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 049B1367
    Memory Dump Source
    • Source File: 00000000.00000002.1875446022.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: cd31af721db4a6be2815a8501954e3ed0277370289224f03e3520139c85401c5
    • Instruction ID: 1d510f7f067c560fdf2c6f721db59d596fd902dbc03b5142840c76e5a7e9a4bd
    • Opcode Fuzzy Hash: cd31af721db4a6be2815a8501954e3ed0277370289224f03e3520139c85401c5
    • Instruction Fuzzy Hash: 3311F2B18003498FDB10DF9AD945BDEBBF8EB48320F24846AE558A3650D778A944CBA5
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00304208
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: be34c4a8263fcc88117e36b5285b2ed1ba2f4340b52179c3818ff9b0a276c995
    • Instruction ID: 176e455265eece146bd8c33b07f7831c13ebc3cb53ede929c7543f19048ebe1e
    • Opcode Fuzzy Hash: be34c4a8263fcc88117e36b5285b2ed1ba2f4340b52179c3818ff9b0a276c995
    • Instruction Fuzzy Hash: 35019AB164120E8FCB19CF68C87479E32A9EB08314F10542EEA15CBAC1E7724E209F58
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 95058f403c0c1a102aaa0de2191e9eadce228dd71ad7e715a4922ea4f4a95a7d
    • Instruction ID: 31e89b1df59c896f92e29f92efa24f8b22b077431f6bf1669b4d42490782d40b
    • Opcode Fuzzy Hash: 95058f403c0c1a102aaa0de2191e9eadce228dd71ad7e715a4922ea4f4a95a7d
    • Instruction Fuzzy Hash: 4FF0A4B101C2546FD7159F69964087DFFE4EF86B20F0A886EE4C48B206D3300451CB92
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: f7cabeeadb686b5f6af65b5f2b3556da3a7fc716c2af8836ba1bf230984f1fc3
    • Instruction ID: bddd2a45da0722d28d1cafdae1ed467000a6e3ee88531d840a8b39b34c8a2604
    • Opcode Fuzzy Hash: f7cabeeadb686b5f6af65b5f2b3556da3a7fc716c2af8836ba1bf230984f1fc3
    • Instruction Fuzzy Hash: CED052B981EA08CBC7122F50D84837E76A8AB00300F11482C8BD20AE80E63644A0ABCB
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 5e06cc824a6c56c3ae85f59d10d0fb60eae75808ccab06d406ca037ec6fc4454
    • Instruction ID: 5a567b3530f14d4c53cae5b109c8b2e9b8ca776ee5b048d20479107d02ba616c
    • Opcode Fuzzy Hash: 5e06cc824a6c56c3ae85f59d10d0fb60eae75808ccab06d406ca037ec6fc4454
    • Instruction Fuzzy Hash: FC01D635A00909BFCF129FA5CC04DDEBFBAEF44341F004261B901A4060D7328A65EF61
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,003626F8,?,?,003623FE,?,?,003623FE,?,?,003623FE), ref: 0036271C
    Memory Dump Source
    • Source File: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: c9aea4c9fa202b5e9166b7918dd4c083d6886cc1e52857b1a22762ec7bf60832
    • Instruction ID: 1d239683af1d74deb4b25bd90376fae2368d87c36b154cef8b5f8404abe811c3
    • Opcode Fuzzy Hash: c9aea4c9fa202b5e9166b7918dd4c083d6886cc1e52857b1a22762ec7bf60832
    • Instruction Fuzzy Hash: 10F086B1900605DFDB258F14CD49F59BBB4FF44752F11C059F44A9B692D7B198C0DB50
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0017F775
    Memory Dump Source
    • Source File: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 4bf616bca4ff17809ffd27046896ab24e445068ec4723717b269739dc5f20a71
    • Instruction ID: 6ff4846ac064c4165b751489b1ad1b9ff207b9a2ab3030843484f8f33cd04e2e
    • Opcode Fuzzy Hash: 4bf616bca4ff17809ffd27046896ab24e445068ec4723717b269739dc5f20a71
    • Instruction Fuzzy Hash: 27F0A4B291C2119FD705AF14C84166EB7E5EF58315F1A482DD9C997240E33168A0DB87
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0017F5D1
    Memory Dump Source
    • Source File: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a57861207f5f79bbf71630807d1680af8ade473dd3003705e8356017147deae4
    • Instruction ID: c3bd0d404bc0913e27f4cffeb2c545a3ae37e7a0696245d2c9f6a97ca3f7d460
    • Opcode Fuzzy Hash: a57861207f5f79bbf71630807d1680af8ade473dd3003705e8356017147deae4
    • Instruction Fuzzy Hash: 5FE04F37208309DFC7441F68D80C1DE3BF1EF88775F224629E896866C0CB365C90E615
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: cfd86f2b2704b1c7b143dc13cfe5a48c07a1b75339f252ecf78b458031dd266d
    • Instruction ID: 1605963388f85af82fd8754f3ccf3a3bf14e6e79b4b9870ebaa9a0049afbfe0f
    • Opcode Fuzzy Hash: cfd86f2b2704b1c7b143dc13cfe5a48c07a1b75339f252ecf78b458031dd266d
    • Instruction Fuzzy Hash: FFC0127191C3A5AEC75257349C767992F798F16141F050446F18189083C44404558755
    APIs
    • CloseHandle.KERNELBASE(?,?,0035A740,?,?), ref: 0035C6C0
    Memory Dump Source
    • Source File: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 362b468c9cfde10361fc1e73a5aa3ec26ce032dd52021370b8cd1b59c3282625
    • Instruction ID: 8857db5474fdf94efd9aacd17a785a654c3da472b41a4f13bebecf55546f0f74
    • Opcode Fuzzy Hash: 362b468c9cfde10361fc1e73a5aa3ec26ce032dd52021370b8cd1b59c3282625
    • Instruction Fuzzy Hash: 64B09231101208BFCB02BF55EC66C8DBF79BF11399B049120B916481718BB2EA649BD4
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 03056939375c9e92636b7eb93f146bab75e366792b923301b0dfff32f710b1fc
    • Instruction ID: 33593e2f5879854561a3c9529822c045de1c4bc55a113a8fddcf750592cc70ec
    • Opcode Fuzzy Hash: 03056939375c9e92636b7eb93f146bab75e366792b923301b0dfff32f710b1fc
    • Instruction Fuzzy Hash: 19B01231D4827A75CBA3AB7CFC3FF6E3D181F14F09F100086F64B154C6845910044764
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e35e972dc6253588ef7752e86dd9982ee9d9d4e40d653b10616669aa23d79f87
    • Instruction ID: 679254a46931b23b1e7e371f20dc48d89c2b2a45d32edd3fb17c0079390783b0
    • Opcode Fuzzy Hash: e35e972dc6253588ef7752e86dd9982ee9d9d4e40d653b10616669aa23d79f87
    • Instruction Fuzzy Hash: C23168B251D310EFE70AAF28D8816BAFBE5EF45310F06482EE6C1C3650D6359880CB97
    Memory Dump Source
    • Source File: 00000000.00000002.1872774059.00000000002FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
    • Associated: 00000000.00000002.1872321197.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872336607.0000000000172000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872353063.0000000000176000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872369013.000000000017A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872386415.0000000000184000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872403772.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872458357.0000000000186000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872730021.00000000002E4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872751108.00000000002E6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872774059.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872814946.000000000030D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872836029.0000000000312000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872862298.0000000000323000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872880218.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872897536.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872916967.0000000000326000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872932820.0000000000327000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872949100.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1872969199.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873008754.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873042725.0000000000345000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873092809.0000000000350000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873119797.000000000035D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873138000.0000000000361000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873157339.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873175234.0000000000365000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873198047.0000000000378000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873218051.000000000037C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873234750.000000000037D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873254830.0000000000380000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873271370.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873287343.0000000000386000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873305480.0000000000394000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873323810.0000000000398000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873338350.0000000000399000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873353804.000000000039B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873368337.000000000039C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873384979.00000000003A2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873401182.00000000003AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873417931.00000000003AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873434632.00000000003B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873448352.00000000003B7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873469898.00000000003C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873485336.00000000003C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873515932.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873531074.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873548818.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873584935.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1873607634.0000000000428000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_170000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dbf33b71eec9b578b93ccb74f1177590b117f0a5b4e1a911226339345351c7ea
    • Instruction ID: 8f9609d4730371a9b176a655da1c508bdab38a68f2c04c2ba634cdff7337e9b4
    • Opcode Fuzzy Hash: dbf33b71eec9b578b93ccb74f1177590b117f0a5b4e1a911226339345351c7ea
    • Instruction Fuzzy Hash: E43149B251C310EFE70AAF68D8916BAFBE5EF49310F06082EE6D5C3650D6354890CB97