Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561395
MD5:a4ccc1e6f4894f4832ff349ee223714f
SHA1:c1863ef0b3b70c0210e30bac674ccd04b0bc5857
SHA256:f7a868b76e3f413f7cbeafd75c889febb45650ab6c963449f0c1d7ccc833c3b8
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A4CCC1E6F4894F4832FF349EE223714F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F90A7 CryptVerifySignatureA,0_2_004F90A7
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2190546822.00000000046D0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A82020_2_004A8202
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A435E0_2_004A435E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A4BD50_2_004A4BD5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DDDC0_2_0032DDDC
Source: C:\Users\user\Desktop\file.exeCode function: String function: 004F409C appears 35 times
Source: file.exe, 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: ,RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2761728 > 1048576
Source: file.exeStatic PE information: Raw size of teifcfsu is bigger than: 0x100000 < 0x29c400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2190546822.00000000046D0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.320000.0.unpack :EW;.rsrc:W;.idata :W;teifcfsu:EW;cxpiqsak:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a85fb should be: 0x2ac6e1
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: teifcfsu
Source: file.exeStatic PE information: section name: cxpiqsak
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B10BB push esi; mov dword ptr [esp], eax0_2_004B10C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B10BB push 776AD452h; mov dword ptr [esp], ebx0_2_004B10CF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A370E push ecx; mov dword ptr [esp], 5E379B91h0_2_004A373D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A370E push ebp; mov dword ptr [esp], 56F1A8E7h0_2_004A376E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A370E push edi; mov dword ptr [esp], edx0_2_004A37AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A370E push eax; mov dword ptr [esp], edx0_2_004A37CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A370E push 6121F141h; mov dword ptr [esp], eax0_2_004A3839
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032EC69 push edx; mov dword ptr [esp], 46214A4Ah0_2_0032F94A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032EC69 push 5CC570BBh; mov dword ptr [esp], eax0_2_0032F983
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A6042 push 6810E7BAh; mov dword ptr [esp], ebp0_2_004A6233
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A706F push ebx; ret 0_2_004A707E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B0063 push 1169B800h; mov dword ptr [esp], eax0_2_004B089C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B2074 push 2E9A4C1Ch; mov dword ptr [esp], edi0_2_004B2079
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B000E push 78CF5141h; mov dword ptr [esp], ecx0_2_004B36B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B100E push 2AA13541h; mov dword ptr [esp], edi0_2_004B4414
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B7004 push 4E115C74h; mov dword ptr [esp], eax0_2_004B711F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B701B push esi; mov dword ptr [esp], ecx0_2_004B7035
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032D067 push 7D980C39h; mov dword ptr [esp], esi0_2_0032D043
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00586036 push 4A618942h; mov dword ptr [esp], eax0_2_0058604E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00529029 push 63771DFCh; mov dword ptr [esp], edx0_2_0052904A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00529029 push ecx; mov dword ptr [esp], eax0_2_00529074
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00529029 push 1B854726h; mov dword ptr [esp], ebx0_2_005290D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A00CB push ebx; mov dword ptr [esp], ecx0_2_004A00CE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A00CB push 555632E6h; mov dword ptr [esp], esi0_2_004A00D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A00CB push 7979FEA1h; mov dword ptr [esp], ebp0_2_004A00FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003320BC push 4F469400h; mov dword ptr [esp], edx0_2_003320D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B10ED push ebp; mov dword ptr [esp], eax0_2_004B4797
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B50F2 push ebx; mov dword ptr [esp], 5FEF9100h0_2_005B511F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A40FD push ecx; mov dword ptr [esp], edi0_2_004A410E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A40FD push edx; mov dword ptr [esp], esi0_2_004A413C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A40FD push ecx; mov dword ptr [esp], 68837005h0_2_004A4150
Source: file.exeStatic PE information: section name: entropy: 7.771586120312369

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32E54A second address: 32E54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4371 second address: 4A4375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3593 second address: 4A3597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3597 second address: 4A35B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F1954E883D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F1954E883D8h 0x00000012 push ecx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3723 second address: 4A3728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3D07 second address: 4A3D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A69E1 second address: 4A69F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a je 00007F1954C8B6E6h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A69F2 second address: 4A69F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A69F8 second address: 4A6A7C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1954C8B6E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F1954C8B6E8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push ebx 0x00000028 mov ecx, dword ptr [ebp+122D3B2Ah] 0x0000002e pop edi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F1954C8B6E8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D349Bh], eax 0x00000051 call 00007F1954C8B6E9h 0x00000056 jmp 00007F1954C8B6EBh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F1954C8B6EDh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6A7C second address: 4A6A86 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1954E883DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6A86 second address: 4A6AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F1954C8B6EAh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ecx 0x00000012 jmp 00007F1954C8B6F0h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F1954C8B6F1h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6BD5 second address: 4A6BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6BDD second address: 4A6BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6BE1 second address: 4A6C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push edx 0x0000000b call 00007F1954E883DAh 0x00000010 pop edx 0x00000011 pop edx 0x00000012 push 00000000h 0x00000014 or ecx, dword ptr [ebp+122D3CC2h] 0x0000001a push 36205264h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F1954E883DAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6C12 second address: 4A6C20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1954C8B6ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6C20 second address: 4A6C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 362052E4h 0x0000000c mov ecx, dword ptr [ebp+122D3322h] 0x00000012 push 00000003h 0x00000014 add dword ptr [ebp+122D21C5h], ecx 0x0000001a je 00007F1954E883DCh 0x00000020 mov ecx, dword ptr [ebp+122D3C52h] 0x00000026 push 00000000h 0x00000028 sub cx, E600h 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F1954E883D8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 call 00007F1954E883D9h 0x0000004e push edi 0x0000004f push esi 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6C7C second address: 4A6CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F1954C8B6ECh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F1954C8B6EDh 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6CA6 second address: 4A6CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F1954E883DCh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6CC4 second address: 4A6CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6CC8 second address: 4A6CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6CE1 second address: 4A6D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F1954C8B6E6h 0x00000009 jno 00007F1954C8B6E6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop eax 0x00000013 mov dl, 71h 0x00000015 and dh, FFFFFF81h 0x00000018 lea ebx, dword ptr [ebp+1244C872h] 0x0000001e mov edx, dword ptr [ebp+122D1CFBh] 0x00000024 push eax 0x00000025 jc 00007F1954C8B6F4h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D10 second address: 4A6D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D98 second address: 4A6E07 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1954C8B6E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4B62EA8Ah 0x00000011 push ebx 0x00000012 xor dword ptr [ebp+122D349Bh], edi 0x00000018 pop edi 0x00000019 push 00000003h 0x0000001b mov edx, dword ptr [ebp+122D3C62h] 0x00000021 push 00000000h 0x00000023 jmp 00007F1954C8B6EFh 0x00000028 push 00000003h 0x0000002a jnl 00007F1954C8B6FBh 0x00000030 call 00007F1954C8B6E9h 0x00000035 pushad 0x00000036 jl 00007F1954C8B6ECh 0x0000003c jns 00007F1954C8B6E6h 0x00000042 push eax 0x00000043 push edx 0x00000044 jp 00007F1954C8B6E6h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E07 second address: 4A6E4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F1954E883F0h 0x0000000e pushad 0x0000000f jmp 00007F1954E883E2h 0x00000014 jnc 00007F1954E883D6h 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 jl 00007F1954E883E3h 0x00000026 jmp 00007F1954E883DDh 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E4B second address: 4A6E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E4F second address: 4A6E69 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1954E883D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1954E883DAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E69 second address: 4A6E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E6D second address: 4A6E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6E77 second address: 4A6E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495AC0 second address: 495AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C635F second address: 4C6365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6365 second address: 4C6369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6369 second address: 4C636D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C65F8 second address: 4C6612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C67B6 second address: 4C67BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6A6A second address: 4C6A7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954E883DAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C6A7A second address: 4C6A86 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1954C8B6EEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C4FE second address: 49C502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C78A4 second address: 4C78A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA01F second address: 4CA024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA024 second address: 4CA02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA02A second address: 4CA03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a je 00007F1954E883D6h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA03F second address: 4CA043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA232 second address: 4CA236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA236 second address: 4CA26C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jnp 00007F1954C8B6E6h 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1954C8B6F9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA26C second address: 4CA290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA290 second address: 4CA29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1954C8B6E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA29B second address: 4CA2A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1954E883D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA2A5 second address: 4CA2F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jno 00007F1954C8B6FEh 0x00000014 jnc 00007F1954C8B6F1h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA463 second address: 4CA469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA469 second address: 4CA46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D2B79 second address: 4D2B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jnp 00007F1954E883DEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D2B8D second address: 4D2B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4AA1 second address: 4D4AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5255 second address: 4D5291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1954C8B6F3h 0x0000000c jp 00007F1954C8B6E6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007F1954C8B6F5h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5291 second address: 4D52BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 js 00007F1954E883D6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007F1954E883E3h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D57CC second address: 4D57D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D58C0 second address: 4D58C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6313 second address: 4D6318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D63E4 second address: 4D63E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D63E8 second address: 4D63EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D64BA second address: 4D64EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1954E883D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1954E883E3h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+124666B5h], ecx 0x00000019 xchg eax, ebx 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F1954E883D6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D64EB second address: 4D64EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D64EF second address: 4D6511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1954E883E8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D7C30 second address: 4D7C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9015 second address: 4D9019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9019 second address: 4D902D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0123 second address: 4E018E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F1954E883E0h 0x0000000e nop 0x0000000f jp 00007F1954E883DBh 0x00000015 xor bx, 4782h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F1954E883D8h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov dword ptr [ebp+122D34CCh], eax 0x0000003c push 00000000h 0x0000003e jc 00007F1954E883DCh 0x00000044 mov dword ptr [ebp+122D2AAFh], ecx 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d push ebx 0x0000004e pop ebx 0x0000004f jng 00007F1954E883D6h 0x00000055 popad 0x00000056 pushad 0x00000057 jp 00007F1954E883D6h 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB020 second address: 4DB024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DBAE6 second address: 4DBAEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC4C4 second address: 4DC4D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DBAEA second address: 4DBAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC4D2 second address: 4DC4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC4D6 second address: 4DC4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FE8 second address: 4E2FF2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1954C8B6E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC4E4 second address: 4DC4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FF2 second address: 4E3065 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1954C8B6EBh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F1954C8B6E8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push 00000000h 0x0000002a je 00007F1954C8B6E6h 0x00000030 push 00000000h 0x00000032 jg 00007F1954C8B6ECh 0x00000038 xchg eax, esi 0x00000039 jmp 00007F1954C8B6F8h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jns 00007F1954C8B6E8h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50E5 second address: 4E50E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3283 second address: 4E328A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E41E0 second address: 4E4204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F1954E883DBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jne 00007F1954E883D6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50E9 second address: 4E50ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E328A second address: 4E328F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50ED second address: 4E5171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F1954C8B6EEh 0x0000000e jmp 00007F1954C8B6F0h 0x00000013 popad 0x00000014 nop 0x00000015 mov ebx, dword ptr [ebp+122D3262h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F1954C8B6E8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov edi, dword ptr [ebp+122D31BEh] 0x0000003d push 00000000h 0x0000003f and ebx, dword ptr [ebp+1246715Ch] 0x00000045 xchg eax, esi 0x00000046 jns 00007F1954C8B6FAh 0x0000004c push eax 0x0000004d jbe 00007F1954C8B6F8h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5171 second address: 4E5175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5175 second address: 4E5179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E52C2 second address: 4E52D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954E883DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6335 second address: 4E63C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop esi 0x00000008 popad 0x00000009 nop 0x0000000a jmp 00007F1954C8B6EEh 0x0000000f push dword ptr fs:[00000000h] 0x00000016 pushad 0x00000017 or dword ptr [ebp+1247AE39h], eax 0x0000001d mov dh, 9Ah 0x0000001f popad 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F1954C8B6E8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 js 00007F1954C8B6EBh 0x00000047 xor bx, 7267h 0x0000004c mov eax, dword ptr [ebp+122D1585h] 0x00000052 movsx ebx, dx 0x00000055 push FFFFFFFFh 0x00000057 mov bl, A9h 0x00000059 nop 0x0000005a jmp 00007F1954C8B6EDh 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F1954C8B6F1h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E71AD second address: 4E71B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E71B1 second address: 4E71B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E82FB second address: 4E8301 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA32C second address: 4EA34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F1954C8B6F3h 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F1954C8B6E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB473 second address: 4EB477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB477 second address: 4EB47D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA4CC second address: 4EA4EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1954E883E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC511 second address: 4EC52E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954C8B6EBh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jc 00007F1954C8B6E6h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED4AB second address: 4ED4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883E4h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F1954E883DBh 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC52E second address: 4EC545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954C8B6F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED4D7 second address: 4ED51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 cld 0x00000008 mov dword ptr [ebp+12468DF8h], esi 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D2FCFh], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F1954E883D8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F1954E883DBh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC545 second address: 4EC5E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c movzx edi, di 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1954C8B6E8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 jnl 00007F1954C8B6E8h 0x0000003d mov eax, dword ptr [ebp+122D1569h] 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F1954C8B6E8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d and edi, dword ptr [ebp+122D3C3Ah] 0x00000063 push FFFFFFFFh 0x00000065 mov dword ptr [ebp+122D3480h], eax 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC5E0 second address: 4EC5EA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1954E883D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE670 second address: 4EE68A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1954C8B6E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1954C8B6EAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC5EA second address: 4EC608 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1954E883D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1954E883DFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE68A second address: 4EE68E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF58B second address: 4EF595 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1954E883DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF595 second address: 4EF5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F1954C8B6E8h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B698 second address: 48B6A2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1954E883D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE01E second address: 4FE02A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1954C8B6E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE191 second address: 4FE1AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954E883E5h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504CFD second address: 504D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504D01 second address: 504D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F1954E883DFh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504D21 second address: 504D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954C8B6EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504D33 second address: 504D60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F1954E883E5h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F1954E883D6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504D60 second address: 504D7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504D7C second address: 504D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1954E883D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504E8B second address: 504E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1954C8B6EBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B813 second address: 50B828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jne 00007F1954E883D8h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B828 second address: 50B82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F70C second address: 50F718 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1954E883D6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F718 second address: 50F73E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F1954C8B6F8h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F73E second address: 50F746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 497521 second address: 497525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5123E7 second address: 5123EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DCDAB second address: 4DCDE3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, F974h 0x0000000f mov ecx, 7EE86677h 0x00000014 lea eax, dword ptr [ebp+12482B3Ch] 0x0000001a mov edx, esi 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 jmp 00007F1954C8B6F7h 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DCDE3 second address: 4DCDED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F1954E883D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DCDED second address: 4DCDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DCDF1 second address: 4DCE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F1954E883DCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD360 second address: 4DD377 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD427 second address: 4DD42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD42B second address: 4DD42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD42F second address: 4DD479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954E883DAh 0x0000000b popad 0x0000000c xor dword ptr [esp], 3FAD0CC4h 0x00000013 mov edx, dword ptr [ebp+122D21A1h] 0x00000019 call 00007F1954E883D9h 0x0000001e jmp 00007F1954E883E0h 0x00000023 push eax 0x00000024 push eax 0x00000025 ja 00007F1954E883D8h 0x0000002b pop eax 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push ebx 0x00000031 push ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD479 second address: 4DD48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F1954C8B6E8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD48B second address: 4DD491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD590 second address: 4DD59B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F1954C8B6E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DD65D second address: 4DD662 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDFD9 second address: 4DDFFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F1954C8B6EEh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ebx 0x00000013 js 00007F1954C8B6ECh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDFFD second address: 4DE00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE00B second address: 4DE01A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F1954C8B6E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE0B9 second address: 4DE109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F1954E883DEh 0x00000012 lea eax, dword ptr [ebp+12482B80h] 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F1954E883D8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jnl 00007F1954E883D8h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE109 second address: 4DE10E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE10E second address: 4DE13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb cl, FFFFFFA1h 0x0000000d lea eax, dword ptr [ebp+12482B3Ch] 0x00000013 mov dx, CD5Bh 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1954E883E7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE13F second address: 4DE145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE145 second address: 4DE149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51602A second address: 516055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6EDh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F1954C8B6EDh 0x00000014 jl 00007F1954C8B6E6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516055 second address: 516075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E6h 0x00000007 jl 00007F1954E883E2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5161AA second address: 5161B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51638B second address: 51639E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51639E second address: 5163A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51651F second address: 51653A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F1954E883E5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516860 second address: 516866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516866 second address: 51686A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51686A second address: 516870 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51BEE8 second address: 51BEED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C317 second address: 51C323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C5C8 second address: 51C5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C5CE second address: 51C5EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1954C8B6E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C5EB second address: 51C5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jns 00007F1954E883D6h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C5F8 second address: 51C5FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51CA3A second address: 51CA48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51CA48 second address: 51CA6B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1954C8B6ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1954C8B6F3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51D224 second address: 51D229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52317E second address: 52318D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F1954C8B6E6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52318D second address: 5231B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1954E883E4h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F1954E883D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5231B4 second address: 5231B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5231B8 second address: 5231D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F1954E883D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F1954E883E4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521EDA second address: 521EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52249D second address: 5224A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5224A1 second address: 5224BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52260A second address: 522610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522610 second address: 522614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522614 second address: 52262E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1954E883DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F1954E883D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52262E second address: 522632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521B91 second address: 521BBF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1954E883D6h 0x00000008 jmp 00007F1954E883E1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1954E883E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521BBF second address: 521BED instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1954C8B6ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1954C8B6F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521BED second address: 521BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521BF1 second address: 521C0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F4h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521C0F second address: 521C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521C21 second address: 521C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522E89 second address: 522EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1954E883D6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F1954E883E7h 0x00000011 jmp 00007F1954E883E5h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522EC3 second address: 522EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F1954C8B6ECh 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526308 second address: 52630E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48ED96 second address: 48EDA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48EDA0 second address: 48EDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48EDA4 second address: 48EDBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F1954C8B6EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48EDBB second address: 48EDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F1954E883DCh 0x0000000e jbe 00007F1954E883D6h 0x00000014 jmp 00007F1954E883E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48EDE4 second address: 48EDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954C8B6EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490935 second address: 49093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528CA5 second address: 528CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528CB0 second address: 528CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D080 second address: 52D0A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1954C8B701h 0x0000000c jg 00007F1954C8B6E6h 0x00000012 jmp 00007F1954C8B6F5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531ADC second address: 531AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531E8C second address: 531E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531E90 second address: 531E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53295B second address: 532981 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1954C8B6E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1954C8B6F9h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532981 second address: 532996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883DAh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532996 second address: 5329BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6EAh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007F1954C8B6F3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5329BB second address: 5329C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F1954E883D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535EFB second address: 535EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535EFF second address: 535F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F1954E883DFh 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535F29 second address: 535F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1954C8B6E6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F1954C8B6ECh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536626 second address: 536640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F1954E883D6h 0x0000000f jbe 00007F1954E883D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F19E second address: 53F1A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F1A4 second address: 53F1A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F1A9 second address: 53F1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1954C8B6E6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F1BA second address: 53F1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D2B5 second address: 53D2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D2BA second address: 53D2D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F1954E883E5h 0x0000000a pop ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D41D second address: 53D427 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1954C8B6E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D427 second address: 53D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D431 second address: 53D435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D435 second address: 53D439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D439 second address: 53D445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1954C8B6E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D6D1 second address: 53D6D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D6D5 second address: 53D6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D6DB second address: 53D6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F1954E883D6h 0x0000000a je 00007F1954E883D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E2AB second address: 53E2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F1954C8B6E6h 0x0000000e popad 0x0000000f push eax 0x00000010 js 00007F1954C8B6E6h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E2C4 second address: 53E2C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E2C9 second address: 53E2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6EAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E2DC second address: 53E2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E892 second address: 53E896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E896 second address: 53E8BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F1954E883E7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E8BC second address: 53E8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1954C8B6F1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EED0 second address: 53EEEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F1954E883D6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EEEA second address: 53EEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EEF0 second address: 53EEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EEF4 second address: 53EEF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EEF8 second address: 53EF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F1954E883DAh 0x00000010 jp 00007F1954E883D6h 0x00000016 jmp 00007F1954E883E5h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5449C4 second address: 5449CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F1954C8B6E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5449CE second address: 5449DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5449DB second address: 5449E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5449E1 second address: 544A0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883DAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1954E883E8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54883F second address: 54884A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54884A second address: 548850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548850 second address: 548860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548860 second address: 54886A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54886A second address: 54886E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547A90 second address: 547A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547A94 second address: 547ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954C8B6F9h 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1954C8B6E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547ABD second address: 547AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547C1D second address: 547C3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 jmp 00007F1954C8B6EEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547C3C second address: 547C46 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1954E883E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547C46 second address: 547C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6EDh 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547DDA second address: 547DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jc 00007F1954E883D6h 0x0000000c jp 00007F1954E883D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54809F second address: 5480A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548491 second address: 548495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548495 second address: 5484B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1954C8B6F0h 0x0000000c jc 00007F1954C8B6E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E75E second address: 54E76A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E76A second address: 54E770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E8AB second address: 54E933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1954E883E2h 0x0000000b popad 0x0000000c jne 00007F1954E883DAh 0x00000012 jnc 00007F1954E883F0h 0x00000018 popad 0x00000019 pushad 0x0000001a jo 00007F1954E883F3h 0x00000020 jmp 00007F1954E883DAh 0x00000025 jmp 00007F1954E883E3h 0x0000002a jmp 00007F1954E883E6h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 jl 00007F1954E883D6h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E933 second address: 54E937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E937 second address: 54E93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EC23 second address: 54EC30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F1954C8B6E6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EC30 second address: 54EC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EF53 second address: 54EF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EF57 second address: 54EF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F568 second address: 54F56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F56E second address: 54F57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1954E883DBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550528 second address: 550539 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1954C8B6E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550539 second address: 55053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E2DC second address: 54E321 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954C8B6F4h 0x0000000b jg 00007F1954C8B704h 0x00000011 js 00007F1954C8B6E6h 0x00000017 jmp 00007F1954C8B6F8h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E321 second address: 54E32B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1954E883DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D19 second address: 557D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6F0h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D31 second address: 557D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D37 second address: 557D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D3B second address: 557D41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56468F second address: 564693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564693 second address: 564699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564699 second address: 5646AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1954C8B6F0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5646AF second address: 5646CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E8h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564810 second address: 56481F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F1954C8B6E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566CD4 second address: 566CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1954E883D6h 0x0000000a popad 0x0000000b jnc 00007F1954E883DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5668AA second address: 5668AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5668AE second address: 5668B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5668B4 second address: 5668C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5668C0 second address: 5668C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669DA second address: 5669E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669E4 second address: 5669F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1954E883D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669F0 second address: 5669FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669FA second address: 566A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1954E883D6h 0x0000000a jmp 00007F1954E883E4h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B483 second address: 56B4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnl 00007F1954C8B6F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1954C8B6F9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B4B8 second address: 56B4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B4BC second address: 56B4CA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1954C8B6E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B4CA second address: 56B4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E8A9 second address: 56E8B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EA31 second address: 56EA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1954E883D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EA3B second address: 56EA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F3h 0x00000007 jnc 00007F1954C8B6E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EA62 second address: 56EA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574726 second address: 57475E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6EFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F1954C8B6E8h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F1954C8B6F6h 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57475E second address: 574764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574764 second address: 574768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C758 second address: 57C75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DDD8 second address: 57DDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DDE2 second address: 57DDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DDE9 second address: 57DDEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D1F7 second address: 48D1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D1FE second address: 48D211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954C8B6EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D211 second address: 48D231 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F1954E883E7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5847F3 second address: 5847F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5847F9 second address: 5847FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5830C0 second address: 5830C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5830C6 second address: 5830CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5830CC second address: 5830D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5830D0 second address: 5830D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58321F second address: 583225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583225 second address: 583232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1954E883D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58337A second address: 58338C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F1954C8B6E6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5834EA second address: 583514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F1954E883DCh 0x00000010 jne 00007F1954E883D6h 0x00000016 jmp 00007F1954E883DBh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583634 second address: 58364B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1954C8B6E6h 0x0000000a popad 0x0000000b jbe 00007F1954C8B6ECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58364B second address: 583654 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583A4A second address: 583A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F1954C8B6E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583A54 second address: 583A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583A5A second address: 583A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1954C8B6F8h 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5844ED second address: 584505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F1954E883D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587695 second address: 58769B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58769B second address: 58769F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58769F second address: 5876A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D3E second address: 5A0D48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D48 second address: 5A0D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D4C second address: 5A0D6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954E883E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D6D second address: 5A0D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D71 second address: 5A0D77 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D77 second address: 5A0D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D7D second address: 5A0D98 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1954E883E3h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0D98 second address: 5A0D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A09F0 second address: 5A0A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1954E883E2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0A07 second address: 5A0A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1954C8B6E6h 0x0000000a jmp 00007F1954C8B6F5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A0A26 second address: 5A0A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A546B second address: 5A5478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F1954C8B6E6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6BD2 second address: 5A6BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883E0h 0x00000009 jc 00007F1954E883D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6BF0 second address: 5A6C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1954C8B6F7h 0x0000000e jmp 00007F1954C8B6F4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6C24 second address: 5A6C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AABCC second address: 5AABEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1954C8B6F6h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AAD24 second address: 5AAD29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB165 second address: 5AB16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB16E second address: 5AB172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB172 second address: 5AB176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB527 second address: 5AB53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954E883E3h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACEBE second address: 5ACEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACEC2 second address: 5ACEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACEC6 second address: 5ACEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F1954C8B6EEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AE6AE second address: 5AE6B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AE6B4 second address: 5AE6DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F1954C8B6F0h 0x00000008 jmp 00007F1954C8B6EDh 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AE6DC second address: 5AE6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1AF1 second address: 5B1B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1954C8B6F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1B0D second address: 5B1B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1B11 second address: 5B1B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1B19 second address: 5B1B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B584D second address: 5B5851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB6DC second address: 5BB6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2BCE second address: 5B2BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1954C8B6E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F1954C8B6E6h 0x00000013 jc 00007F1954C8B6E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2BE7 second address: 5B2C34 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1954E883D6h 0x00000008 jg 00007F1954E883D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jg 00007F1954E883D6h 0x00000017 jmp 00007F1954E883E9h 0x0000001c pop edx 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 jmp 00007F1954E883E7h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1699 second address: 5B16CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1954C8B6F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1954C8B6EEh 0x00000018 jnc 00007F1954C8B6E6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B16CF second address: 5B16D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2A8B second address: 5B2AA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F1954C8B6E6h 0x00000009 jnp 00007F1954C8B6E6h 0x0000000f popad 0x00000010 jne 00007F1954C8B6ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D82DA second address: 4D82F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1954E883E5h 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 32DDC0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4CA0C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 559408 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4920000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6AA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3577 rdtsc 0_2_004A3577
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B7DA6 sidt fword ptr [esp-02h]0_2_004B7DA6
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7816Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050104E GetSystemInfo,VirtualAlloc,0_2_0050104E
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A6CD4 Start: 004A6D48 End: 004A6CC80_2_004A6CD4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A6C88 Start: 004A6D48 End: 004A6CC80_2_004A6C88
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A6C9C Start: 004A6D48 End: 004A6CC80_2_004A6C9C
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3577 rdtsc 0_2_004A3577
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032B9B4 LdrInitializeThunk,0_2_0032B9B4
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F81E9 GetSystemTime,GetFileTime,0_2_004F81E9

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1561395
    Start date and time:2024-11-23 10:32:10 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 39s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe
    • Excluded IPs from analysis (whitelisted): 20.198.119.84, 20.223.35.26, 23.206.197.32, 23.206.197.50, 23.206.197.48, 23.206.197.43, 23.206.197.49, 23.206.197.34, 23.206.197.25, 23.206.197.35, 23.206.197.42
    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, otelrules.azureedge.net, tse1.mm.bing.net, arc.msn.com, www-www.bing.com.trafficmanager.net, wns.notify.trafficmanager.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, ocsp.digicert.com, ocsp.edge.digicert.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    • Report size getting too big, too many NtProtectVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    fp2e7a.wpc.phicdn.netn5QCsKJ0CP.exeGet hashmaliciousRedLineBrowse
    • 192.229.221.95
    file.exeGet hashmaliciousStealcBrowse
    • 192.229.221.95
    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
    • 192.229.221.95
    file.exeGet hashmaliciousStealcBrowse
    • 192.229.221.95
    https://identitys.fraudguard.es/SSA_Updated_StatementGet hashmaliciousScreenConnect ToolBrowse
    • 192.229.221.95
    SeT_up.exeGet hashmaliciousLummaC StealerBrowse
    • 192.229.221.95
    file.exeGet hashmaliciousLummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza StealerBrowse
    • 192.229.221.95
    https://b0.antidisesta1.com/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/#Xlhixacc.orgGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    30340299021065524077.jsGet hashmaliciousStrela DownloaderBrowse
    • 192.229.221.95
    BX9IkWcF80.exeGet hashmaliciousScreenConnect ToolBrowse
    • 192.229.221.95

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.5042968975831315
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'761'728 bytes
    MD5:a4ccc1e6f4894f4832ff349ee223714f
    SHA1:c1863ef0b3b70c0210e30bac674ccd04b0bc5857
    SHA256:f7a868b76e3f413f7cbeafd75c889febb45650ab6c963449f0c1d7ccc833c3b8
    SHA512:2d33b57f20309e10fa5d1ab1e9c5007de9a1f91518bb24caa8a94c56d356cc2f5f96d7319cdc2817c7a8b28e77629719fb5fd5a43a5ac418b4362e9277a16d66
    SSDEEP:24576:C1XYlL/FZd4ST4OX0Hvt0URsfBehvHBc1bGHA05tFwbwXKnl4Zg8sqhCFqzob+v9:Wi14S0UWuB+bjXm8s5uv/VvX56kVl
    TLSH:2BD54C92B40972CFD48E2374E62BCD87596D03B9571159D3A82CB57ABEA3CC132F9C24
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x6aa000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b

    Entrypoint Preview

    Instruction
    jmp 00007F1954DE660Ah
    lar ebp, word ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add cl, ch
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [edi], al
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+00000000h], cl
    add byte ptr [eax], al
    add byte ptr [edx], ah
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], cl
    or al, byte ptr [eax]
    add byte ptr [ecx], cl
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [edx], ecx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x120017ec0913a9849d6a2561c1f1a3a462eaFalse0.9301215277777778data7.771586120312369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    teifcfsu0xa0000x29e0000x29c400a30f520e34c13fbc6e683cda39cf78e5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    cxpiqsak0x2a80000x20000x40034faaa8f5261e957058939ad5091f2a6False0.7998046875data6.223696439043342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2aa0000x40000x220009b7561924790c3e72cabaf56b93d48cFalse0.06606158088235294DOS executable (COM)0.7433553511983096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    kernel32.dlllstrcpy

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 23, 2024 10:33:23.545825958 CET1.1.1.1192.168.2.60x9a97No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
    Nov 23, 2024 10:33:23.545825958 CET1.1.1.1192.168.2.60x9a97No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:04:33:07
    Start date:23/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x320000
    File size:2'761'728 bytes
    MD5 hash:A4CCC1E6F4894F4832FF349EE223714F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:6.2%
      Dynamic/Decrypted Code Coverage:3%
      Signature Coverage:4.1%
      Total number of Nodes:394
      Total number of Limit Nodes:21
      execution_graph 9380 502052 9382 50205e 9380->9382 9383 502070 9382->9383 9388 4f56fb 9383->9388 9386 502098 9396 4f5762 9388->9396 9390 4f5710 9390->9386 9391 501c0f 9390->9391 9392 501c20 9391->9392 9394 501ca3 9391->9394 9392->9394 9395 501a7a VirtualProtect 9392->9395 9564 5018b9 9392->9564 9394->9386 9395->9392 9398 4f576f 9396->9398 9400 4f5785 9398->9400 9399 4f57aa 9415 4f409c GetCurrentThreadId 9399->9415 9400->9399 9410 4f578d 9400->9410 9423 5022c1 9400->9423 9401 4f586d 9406 4f588b LoadLibraryExA 9401->9406 9407 4f5877 LoadLibraryExW 9401->9407 9402 4f585a 9445 4f559a 9402->9445 9414 4f5831 9406->9414 9407->9414 9408 4f57af 9419 4f47ae 9408->9419 9410->9401 9410->9402 9412 4f57ee 9425 4f50da 9412->9425 9416 4f40b4 9415->9416 9417 4f40fb 9416->9417 9418 4f40ea Sleep 9416->9418 9417->9408 9418->9416 9420 4f47bf 9419->9420 9421 4f47fc 9419->9421 9420->9421 9449 4f464f 9420->9449 9421->9410 9421->9412 9469 5022d0 9423->9469 9426 4f50f6 9425->9426 9427 4f5100 9425->9427 9426->9414 9477 4f492d 9427->9477 9434 4f5150 9435 4f517d 9434->9435 9443 4f51fa 9434->9443 9487 4f4b0b 9434->9487 9491 4f4da6 9435->9491 9438 4f5188 9438->9443 9496 4f4d1d 9438->9496 9440 4f51b5 9441 4f51dd 9440->9441 9440->9443 9500 501f16 9440->9500 9441->9443 9444 501c0f 2 API calls 9441->9444 9443->9426 9504 4f58ec 9443->9504 9444->9443 9446 4f55a5 9445->9446 9447 4f55c6 LoadLibraryExA 9446->9447 9448 4f55b5 9446->9448 9447->9448 9448->9414 9450 4f467c 9449->9450 9451 4f46aa PathAddExtensionA 9450->9451 9452 4f46c5 9450->9452 9457 4f4782 9450->9457 9451->9452 9454 4f46e7 9452->9454 9461 4f42f0 9452->9461 9454->9457 9458 4f42f0 lstrcmpiA 9454->9458 9460 4f4730 9454->9460 9455 4f42f0 lstrcmpiA 9456 4f4759 9455->9456 9456->9457 9459 4f42f0 lstrcmpiA 9456->9459 9457->9420 9458->9460 9459->9457 9460->9455 9460->9456 9460->9457 9462 4f430e 9461->9462 9463 4f4325 9462->9463 9465 4f426d 9462->9465 9463->9454 9466 4f4298 9465->9466 9467 4f42ca lstrcmpiA 9466->9467 9468 4f42e0 9466->9468 9467->9468 9468->9463 9470 5022e0 9469->9470 9471 4f409c 2 API calls 9470->9471 9476 502332 9470->9476 9472 502348 9471->9472 9473 4f47ae 2 API calls 9472->9473 9474 50235a 9473->9474 9475 4f47ae 2 API calls 9474->9475 9474->9476 9475->9476 9478 4f4949 9477->9478 9480 4f49a2 9477->9480 9479 4f4979 VirtualAlloc 9478->9479 9478->9480 9479->9480 9480->9426 9481 4f49d3 VirtualAlloc 9480->9481 9482 4f4a18 9481->9482 9482->9443 9483 4f4a50 9482->9483 9485 4f4a78 9483->9485 9484 4f4aef 9484->9434 9485->9484 9486 4f4a91 VirtualAlloc 9485->9486 9486->9484 9486->9485 9488 4f4b2b 9487->9488 9490 4f4b26 9487->9490 9489 4f4b5e lstrcmpiA 9488->9489 9488->9490 9489->9488 9489->9490 9490->9435 9492 4f4eb2 9491->9492 9494 4f4dd3 9491->9494 9492->9438 9494->9492 9506 4f48b8 9494->9506 9514 4f59c9 9494->9514 9497 4f4d46 9496->9497 9498 4f4d87 9497->9498 9499 4f4d5e VirtualProtect 9497->9499 9498->9440 9499->9497 9499->9498 9501 501fe3 9500->9501 9503 501f32 9500->9503 9501->9441 9503->9501 9540 501a7a 9503->9540 9544 4f58f8 9504->9544 9507 4f56fb 18 API calls 9506->9507 9508 4f48cb 9507->9508 9509 4f491d 9508->9509 9511 4f48f4 9508->9511 9513 4f4911 9508->9513 9510 4f58ec 3 API calls 9509->9510 9510->9513 9512 4f58ec 3 API calls 9511->9512 9511->9513 9512->9513 9513->9494 9516 4f59d2 9514->9516 9517 4f59e1 9516->9517 9518 4f59e9 9517->9518 9520 4f409c 2 API calls 9517->9520 9519 4f5a16 GetProcAddress 9518->9519 9525 4f5a0c 9519->9525 9521 4f59f3 9520->9521 9522 4f5a03 9521->9522 9523 4f5a11 9521->9523 9526 4f542a 9522->9526 9523->9519 9527 4f5516 9526->9527 9528 4f5449 9526->9528 9527->9525 9528->9527 9529 4f5486 lstrcmpiA 9528->9529 9530 4f54b0 9528->9530 9529->9528 9529->9530 9530->9527 9532 4f5373 9530->9532 9533 4f5384 9532->9533 9534 4f53b4 lstrcpyn 9533->9534 9539 4f540f 9533->9539 9536 4f53d0 9534->9536 9534->9539 9535 4f48b8 17 API calls 9537 4f53fe 9535->9537 9536->9535 9536->9539 9538 4f59c9 17 API calls 9537->9538 9537->9539 9538->9539 9539->9527 9543 501a8e 9540->9543 9541 501aa6 9541->9503 9542 501bc9 VirtualProtect 9542->9543 9543->9541 9543->9542 9545 4f5907 9544->9545 9546 4f590f 9545->9546 9548 4f409c 2 API calls 9545->9548 9547 4f595d FreeLibrary 9546->9547 9549 4f5944 9547->9549 9550 4f5919 9548->9550 9550->9546 9551 4f5929 9550->9551 9553 4f52da 9551->9553 9554 4f52fd 9553->9554 9556 4f533d 9553->9556 9554->9556 9557 4f3e96 9554->9557 9556->9549 9558 4f3e9f 9557->9558 9559 4f3eb7 9558->9559 9561 4f3e7d 9558->9561 9559->9556 9562 4f58ec GetCurrentThreadId Sleep FreeLibrary 9561->9562 9563 4f3e8a 9562->9563 9563->9558 9567 5018c0 9564->9567 9566 50190a 9566->9392 9567->9566 9568 501a7a VirtualProtect 9567->9568 9569 5017c7 9567->9569 9568->9567 9572 5017dc 9569->9572 9570 50189c 9570->9567 9571 501866 GetModuleFileNameA 9571->9572 9572->9570 9572->9571 9575 4f5c0b 9577 4f5c17 9575->9577 9578 4f5c2b 9577->9578 9580 4f5c53 9578->9580 9581 4f5c6c 9578->9581 9583 4f5c75 9581->9583 9584 4f5c84 9583->9584 9585 4f409c 2 API calls 9584->9585 9591 4f5c8c 9584->9591 9586 4f5c96 9585->9586 9589 4f5cb1 9586->9589 9590 4f47ae 2 API calls 9586->9590 9587 4f5d2f GetModuleHandleW 9592 4f5cc4 9587->9592 9588 4f5d3d GetModuleHandleA 9588->9592 9589->9591 9589->9592 9590->9589 9591->9587 9591->9588 9593 4961510 9594 4961558 ControlService 9593->9594 9595 496158f 9594->9595 9596 4f8407 9598 4f8413 9596->9598 9599 4f409c 2 API calls 9598->9599 9600 4f841f 9599->9600 9602 4f843f 9600->9602 9603 4f82e4 9600->9603 9605 4f82f0 9603->9605 9606 4f8304 9605->9606 9607 4f409c 2 API calls 9606->9607 9608 4f831c 9607->9608 9616 4f4800 9608->9616 9611 4f47ae 2 API calls 9613 4f8381 9611->9613 9612 4f8333 9613->9612 9614 4f83e8 GetFileAttributesExA 9613->9614 9615 4f83d1 GetFileAttributesExW 9613->9615 9614->9612 9615->9612 9617 4f48b4 9616->9617 9618 4f4814 9616->9618 9617->9611 9617->9612 9618->9617 9619 4f464f 2 API calls 9618->9619 9619->9618 9620 4f91c5 9622 4f91d1 9620->9622 9623 4f91e9 9622->9623 9625 4f9213 9623->9625 9626 4f90ff 9623->9626 9628 4f910b 9626->9628 9629 4f409c 2 API calls 9628->9629 9630 4f911e 9629->9630 9631 4f915c 9630->9631 9632 4f9197 9630->9632 9635 4f9138 9630->9635 9631->9635 9636 4f67d6 9631->9636 9633 4f919c CreateFileMappingA 9632->9633 9633->9635 9639 4f67ed 9636->9639 9637 4f68ea 9637->9635 9638 4f6856 CreateFileA 9640 4f689b 9638->9640 9639->9637 9639->9638 9640->9637 9642 4f5eb5 CloseHandle 9640->9642 9643 4f5ec9 9642->9643 9643->9637 9644 50209e 9646 5020aa 9644->9646 9647 5020bc 9646->9647 9652 4f5714 9647->9652 9649 5020e4 9650 5020cb 9650->9649 9651 501c0f GetModuleFileNameA VirtualProtect 9650->9651 9651->9649 9654 4f5720 9652->9654 9655 4f5735 9654->9655 9656 4f5753 9655->9656 9657 4f5762 18 API calls 9655->9657 9657->9656 9658 333063 9660 33309d 9658->9660 9659 3330dd 9660->9659 9662 5011ef 9660->9662 9664 5011fd 9662->9664 9665 50121d 9664->9665 9666 5014bf 9664->9666 9665->9659 9667 5014f2 9666->9667 9668 5014cf 9666->9668 9667->9664 9668->9667 9669 5018b9 2 API calls 9668->9669 9669->9667 9670 4f5d5e 9671 4f409c 2 API calls 9670->9671 9672 4f5d6a 9671->9672 9673 4f5d88 9672->9673 9674 4f47ae 2 API calls 9672->9674 9675 4f5db9 GetModuleHandleExA 9673->9675 9676 4f5d90 9673->9676 9674->9673 9675->9676 9677 4a6b5b 9678 4a6b6f CreateFileA 9677->9678 9680 4a6b9e 9678->9680 9681 4f8157 9682 4f409c 2 API calls 9681->9682 9683 4f8163 GetCurrentProcess 9682->9683 9684 4f81af 9683->9684 9687 4f8173 9683->9687 9685 4f81b4 DuplicateHandle 9684->9685 9686 4f81aa 9685->9686 9687->9684 9688 4f819e 9687->9688 9690 4f5ef4 9688->9690 9691 4f5f1e 9690->9691 9692 4f5fb1 9691->9692 9694 4f5edc 9691->9694 9692->9686 9697 4f3f47 9694->9697 9698 4f3f5d 9697->9698 9699 4f3f77 9698->9699 9701 4f3f2b 9698->9701 9699->9692 9702 4f5eb5 CloseHandle 9701->9702 9703 4f3f3b 9702->9703 9703->9699 9704 32ec69 9705 32f949 VirtualAlloc 9704->9705 9706 4f88d3 9708 4f88df 9706->9708 9709 4f409c 2 API calls 9708->9709 9710 4f88eb 9709->9710 9712 4f890b 9710->9712 9713 4f87df 9710->9713 9715 4f87eb 9713->9715 9716 4f87ff 9715->9716 9717 4f409c 2 API calls 9716->9717 9718 4f8817 9717->9718 9719 4f882c 9718->9719 9739 4f86f8 9718->9739 9723 4f8834 9719->9723 9731 4f879d IsBadWritePtr 9719->9731 9726 4f88a8 CreateFileA 9723->9726 9727 4f8885 CreateFileW 9723->9727 9724 4f47ae 2 API calls 9725 4f8867 9724->9725 9725->9723 9728 4f886f 9725->9728 9730 4f8875 9726->9730 9727->9730 9733 4f5ff2 9728->9733 9732 4f87bf 9731->9732 9732->9723 9732->9724 9734 4f5fff 9733->9734 9735 4f6038 CreateFileA 9734->9735 9738 4f60fa 9734->9738 9736 4f6084 9735->9736 9737 4f5eb5 CloseHandle 9736->9737 9736->9738 9737->9738 9738->9730 9741 4f8707 GetWindowsDirectoryA 9739->9741 9742 4f8731 9741->9742 9743 4afc96 9744 4afcb1 9743->9744 9745 4afcc0 RegOpenKeyA 9744->9745 9746 4afce7 RegOpenKeyA 9744->9746 9745->9746 9747 4afcdd 9745->9747 9748 4afd04 9746->9748 9747->9746 9749 4afd48 GetNativeSystemInfo 9748->9749 9750 4afd53 9748->9750 9749->9750 9751 50104e GetSystemInfo 9752 5010ac VirtualAlloc 9751->9752 9753 50106e 9751->9753 9766 50139a 9752->9766 9753->9752 9755 5010f3 9756 5011c8 9755->9756 9757 50139a VirtualAlloc GetModuleFileNameA VirtualProtect 9755->9757 9758 5011e4 GetModuleFileNameA VirtualProtect 9756->9758 9765 50118c 9756->9765 9759 50111d 9757->9759 9758->9765 9759->9756 9760 50139a VirtualAlloc GetModuleFileNameA VirtualProtect 9759->9760 9761 501147 9760->9761 9761->9756 9762 50139a VirtualAlloc GetModuleFileNameA VirtualProtect 9761->9762 9763 501171 9762->9763 9763->9756 9764 50139a VirtualAlloc GetModuleFileNameA VirtualProtect 9763->9764 9763->9765 9764->9756 9768 5013a2 9766->9768 9769 5013b6 9768->9769 9770 5013ce 9768->9770 9776 501266 9769->9776 9772 501266 2 API calls 9770->9772 9773 5013df 9772->9773 9778 5013f1 9773->9778 9781 50126e 9776->9781 9779 501402 VirtualAlloc 9778->9779 9780 5013ed 9778->9780 9779->9780 9782 501281 9781->9782 9783 5018b9 2 API calls 9782->9783 9784 5012c4 9782->9784 9783->9784 9789 4961308 9790 4961349 ImpersonateLoggedOnUser 9789->9790 9791 4961376 9790->9791 9792 4960d48 9793 4960d93 OpenSCManagerW 9792->9793 9795 4960ddc 9793->9795 9796 32eb92 9797 32ed40 VirtualAlloc 9796->9797 9798 32ed72 9797->9798 9799 4a6eaa CreateFileA 9800 4a6ecd 9799->9800 9801 4f866c 9803 4f8678 9801->9803 9804 4f409c 2 API calls 9803->9804 9805 4f8684 9804->9805 9807 4f86a4 9805->9807 9808 4f85c3 9805->9808 9810 4f85cf 9808->9810 9811 4f85e3 9810->9811 9812 4f409c 2 API calls 9811->9812 9813 4f85fb 9812->9813 9814 4f4800 2 API calls 9813->9814 9815 4f860a 9814->9815 9816 4f47ae 2 API calls 9815->9816 9818 4f8626 9815->9818 9817 4f861e 9816->9817 9817->9818 9819 4f8653 GetFileAttributesA 9817->9819 9820 4f8642 GetFileAttributesW 9817->9820 9819->9818 9820->9818 9821 49610f0 9822 4961131 9821->9822 9825 4f6df0 9822->9825 9823 4961151 9826 4f409c 2 API calls 9825->9826 9827 4f6dfc 9826->9827 9828 4f6e25 9827->9828 9829 4f6e15 9827->9829 9831 4f6e2a CloseHandle 9828->9831 9830 4f5edc CloseHandle 9829->9830 9832 4f6e1b 9830->9832 9831->9832 9832->9823 9833 4f89e6 9835 4f89ef 9833->9835 9836 4f409c 2 API calls 9835->9836 9837 4f89fb 9836->9837 9838 4f8a4b ReadFile 9837->9838 9839 4f8a14 9837->9839 9838->9839 9840 4f9323 9841 4f409c 2 API calls 9840->9841 9842 4f932f 9841->9842 9843 4f9397 MapViewOfFileEx 9842->9843 9844 4f9348 9842->9844 9843->9844 9845 4b10bb 9846 4b2b45 LoadLibraryA 9845->9846 9848 501fe8 9850 501ff4 9848->9850 9851 502006 9850->9851 9852 501c0f 2 API calls 9851->9852 9853 502018 9852->9853 9854 5020ea 9856 5020f6 9854->9856 9857 502113 9856->9857 9858 4f59c9 18 API calls 9857->9858 9859 502146 9858->9859 9860 4f58b3 9861 4f56fb 18 API calls 9860->9861 9862 4f58c6 9861->9862 9863 4a3577 LoadLibraryA 9864 4a3591 9863->9864

      Executed Functions

      Function 0050104E Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 176 50104e-501068 GetSystemInfo 177 5010ac-5010f5 VirtualAlloc call 50139a 176->177 178 50106e-5010a6 176->178 182 5011db-5011e0 call 5011e4 177->182 183 5010fb-50111f call 50139a 177->183 178->177 189 5011e2-5011e3 182->189 183->182 190 501125-501149 call 50139a 183->190 190->182 193 50114f-501173 call 50139a 190->193 193->182 196 501179-501186 193->196 197 5011ac-5011c3 call 50139a 196->197 198 50118c-5011a7 196->198 201 5011c8-5011ca 197->201 202 5011d6 198->202 201->182 203 5011d0 201->203 202->189 203->202
      APIs
      • GetSystemInfo.KERNELBASE(?,-11FA5FEC), ref: 0050105A
      • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 005010BB
      Memory Dump Source
      • Source File: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AllocInfoSystemVirtual
      • String ID:
      • API String ID: 3440192736-0
      • Opcode ID: b1de86d9e2dbd61cbe4baef91bf1e5e9bb0319ab69348d9c2998c4bbc573ba16
      • Instruction ID: a37b6bdef2a8972ab55a8652713a7e99106b87eca0761dbb2bd0f0fe8ae16ae9
      • Opcode Fuzzy Hash: b1de86d9e2dbd61cbe4baef91bf1e5e9bb0319ab69348d9c2998c4bbc573ba16
      • Instruction Fuzzy Hash: 374125B1D01606AEEB2DDF51C845F9ABBACFB84740F0001A6B607CE8C2D67095D4CB95
      Function 004A3577 Relevance: 1.6, APIs: 1, Instructions: 147libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 258 4a3577-4a357c LoadLibraryA 259 4a3591-4a35a3 258->259 261 4a35ab-4a3708 259->261 262 4a35a9-4a35aa 259->262 265 4a3709 261->265 262->261 265->265
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 0e35f455d8e3aa6ecd153f411039981eb01397b9c03237cea66fb9ad9808e351
      • Instruction ID: ea073b4f94380f9550bccf7c3fb63a0ac5f276ba39a9ced9eaad68ce224c2812
      • Opcode Fuzzy Hash: 0e35f455d8e3aa6ecd153f411039981eb01397b9c03237cea66fb9ad9808e351
      • Instruction Fuzzy Hash: 2741A2F250C300AFE7066F18EC856BEF7E9EF94320F16492DE2C182A00E77555449AA7
      Function 004A6CD4 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 144ab11cc98e6fdd5b4317832cd9f6a7617590c238970bb5fc6e14998d679ee7
      • Instruction ID: 7445bcce513a4633a944ccbc391481b8c083ce79e0f953b9300edadcdcd6a2ab
      • Opcode Fuzzy Hash: 144ab11cc98e6fdd5b4317832cd9f6a7617590c238970bb5fc6e14998d679ee7
      • Instruction Fuzzy Hash: 1E1106F62082517DF700CA55AB60AFB63ADE6F3734B3A841FF881C6542D2594D4A623A
      Function 004A6C88 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 4fd5b053749f2b13bb30543102d46d6e2a85a35fe89cb61a621c155563656026
      • Instruction ID: 66d53801f8ada4aebad36156b6a7912d8470c25e1c0bcc149bd61d44c63339d2
      • Opcode Fuzzy Hash: 4fd5b053749f2b13bb30543102d46d6e2a85a35fe89cb61a621c155563656026
      • Instruction Fuzzy Hash: 11112BF72082117DF300CA44AB60AFB63BDE6F7B30B3A841FF881C5542D2594D4A623A
      Function 004A6C9C Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 3658d4a1f310665404eb4cc45c73a543edcc918abfae635a4b48846eca34efe1
      • Instruction ID: d3987333ef7ab532dd156603d3bb3b8233f82e1901fddffd28821c82282781b5
      • Opcode Fuzzy Hash: 3658d4a1f310665404eb4cc45c73a543edcc918abfae635a4b48846eca34efe1
      • Instruction Fuzzy Hash: CB01C8F72082116DF300CE45AB60AFB63BDE6E7770B3A842FF841C6542C2594D4A563A
      Function 0032B9B4 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID: XO
      • API String ID: 0-1882202049
      • Opcode ID: ed1d767bcab7ef421383307a5443b3ac17d520f605d8abbe074bb3e87d22b8d6
      • Instruction ID: c2708275b5324b1e806eb405a6faa3ae63b450b2f787d9663af138f9fbb3309f
      • Opcode Fuzzy Hash: ed1d767bcab7ef421383307a5443b3ac17d520f605d8abbe074bb3e87d22b8d6
      • Instruction Fuzzy Hash: D0618A72918AB6CFDB139F28A8103A9FB65EF41700F1A4466DC858FB96E7794C50C7C4
      Function 004F576F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • LoadLibraryExW.KERNEL32(?,?,?), ref: 004F5880
      • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 004F5894
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: .dll$.exe$1002
      • API String ID: 1029625771-847511843
      • Opcode ID: d019dbae8b41db6a79fb922f7940116178f0170b71543463e11afc1c21480c5e
      • Instruction ID: 559cd5a63410d97190c8480a059b6099e70f5e1a46760edaaeaed80b3ea826be
      • Opcode Fuzzy Hash: d019dbae8b41db6a79fb922f7940116178f0170b71543463e11afc1c21480c5e
      • Instruction Fuzzy Hash: 24316C7540490EFFCF11AF50D904ABE7B75FF44340F10412AFB0596161CB3999A1DBAA
      Function 004F82F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetFileAttributesExW.KERNELBASE(00B401D4,00004020,00000000,-11FA5FEC), ref: 004F83DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 8659555a23b04a48664342b05b6af5cbc8adaf4cc8d32bf61580ee780c1ce0f4
      • Instruction ID: 059458244e84eaf31ce45a1278d117e9d980b54863722207b2cb4f5d086720f4
      • Opcode Fuzzy Hash: 8659555a23b04a48664342b05b6af5cbc8adaf4cc8d32bf61580ee780c1ce0f4
      • Instruction Fuzzy Hash: AA317175504709EFDF258F44C848BAEBBB0FF08704F00851EEA556B260CB79E6A5CB94
      Function 004F5C75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 60 4f5c75-4f5c86 call 4f55d9 63 4f5c8c 60->63 64 4f5c91-4f5c9a call 4f409c 60->64 66 4f5d25-4f5d29 63->66 70 4f5cce-4f5cd5 64->70 71 4f5ca0-4f5cac call 4f47ae 64->71 68 4f5d2f-4f5d38 GetModuleHandleW 66->68 69 4f5d3d-4f5d40 GetModuleHandleA 66->69 72 4f5d46 68->72 69->72 75 4f5cdb-4f5ce2 70->75 76 4f5d20 call 4f4147 70->76 77 4f5cb1-4f5cb3 71->77 74 4f5d50-4f5d52 72->74 75->76 78 4f5ce8-4f5cef 75->78 76->66 77->76 80 4f5cb9-4f5cbe 77->80 78->76 81 4f5cf5-4f5cfc 78->81 80->76 82 4f5cc4-4f5d4b call 4f4147 80->82 81->76 83 4f5d02-4f5d16 81->83 82->74 83->76
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,?,004F5C07,?,00000000,00000000), ref: 004F5D32
      • GetModuleHandleA.KERNEL32(00000000,?,?,?,004F5C07,?,00000000,00000000), ref: 004F5D40
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: HandleModule
      • String ID: .dll
      • API String ID: 4139908857-2738580789
      • Opcode ID: c0318f7bdf6507ab262d9028686172705eb3524c7a17e080420401ee475dc7a3
      • Instruction ID: e91460ea6ee294ba2dae024354896753ebb25758a2688a10c56988bcc94c758b
      • Opcode Fuzzy Hash: c0318f7bdf6507ab262d9028686172705eb3524c7a17e080420401ee475dc7a3
      • Instruction Fuzzy Hash: EB115E30102A4EEAEF309F20D50D77A7BB5FF10345F00811BE701491A0CB7D94E4DA8A
      Function 004F85CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 87 4f85cf-4f85dd 88 4f85ef 87->88 89 4f85e3-4f85ea 87->89 90 4f85f6-4f860c call 4f409c call 4f4800 88->90 89->90 95 4f862b 90->95 96 4f8612-4f8620 call 4f47ae 90->96 98 4f862f-4f8632 95->98 102 4f8637-4f863c 96->102 103 4f8626 96->103 100 4f8662-4f8669 call 4f4147 98->100 105 4f8653-4f8656 GetFileAttributesA 102->105 106 4f8642-4f864e GetFileAttributesW 102->106 103->98 107 4f865c-4f865d 105->107 106->107 107->100
      APIs
      • GetFileAttributesW.KERNELBASE(00B401D4,-11FA5FEC), ref: 004F8648
      • GetFileAttributesA.KERNEL32(00000000,-11FA5FEC), ref: 004F8656
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: a0925e01c5d7c86d07316bfbe32b2a0613ef9e32126afaa312db84d34b8fba91
      • Instruction ID: 4acf4f2316a86e8bd2d4db8f58ee320c0afaac4ad53cca824b04f65c4aeaaac2
      • Opcode Fuzzy Hash: a0925e01c5d7c86d07316bfbe32b2a0613ef9e32126afaa312db84d34b8fba91
      • Instruction Fuzzy Hash: 06014B70504149FAEF21AF54C909BBE7FB0AF45348F10406FE701AD1A1DFB99A91D64D
      Function 004AFC96 Relevance: 4.6, APIs: 3, Instructions: 77registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 108 4afc96-4afcbe 110 4afcc0-4afcdb RegOpenKeyA 108->110 111 4afce7-4afd02 RegOpenKeyA 108->111 110->111 112 4afcdd 110->112 113 4afd1a-4afd46 111->113 114 4afd04-4afd0e 111->114 112->111 117 4afd48-4afd51 GetNativeSystemInfo 113->117 118 4afd53-4afd5d 113->118 114->113 117->118 119 4afd69-4afd77 118->119 120 4afd5f 118->120 122 4afd79 119->122 123 4afd83-4afd8a 119->123 120->119 122->123 124 4afd9d 123->124 125 4afd90-4afd97 123->125 127 4b1c45-4b1c4b 124->127 125->124 126 4b1c7a-4b1c81 125->126 126->127 128 4b1c87-4b1e00 126->128
      APIs
      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 004AFCD3
      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 004AFCFA
      • GetNativeSystemInfo.KERNELBASE(?), ref: 004AFD51
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: Open$InfoNativeSystem
      • String ID:
      • API String ID: 1247124224-0
      • Opcode ID: c2cfa099889a2609786caf741cefcaaeb965d7eb8d2975d56ace81d932c2a5dc
      • Instruction ID: 6f1e84492b93701eb78cd22486f183a801036cceb831326735e93f03d86c9433
      • Opcode Fuzzy Hash: c2cfa099889a2609786caf741cefcaaeb965d7eb8d2975d56ace81d932c2a5dc
      • Instruction Fuzzy Hash: 89316CB260810E9FDF11DF60C848BDF3AB9EF55310F100026DE4286A50E77A8DA89F6D
      Function 004F464F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 130 4f464f-4f467f 132 4f47aa-4f47ab 130->132 133 4f4685-4f469a 130->133 133->132 135 4f46a0-4f46a4 133->135 136 4f46aa-4f46bc PathAddExtensionA 135->136 137 4f46c6-4f46cd 135->137 140 4f46c5 136->140 138 4f46ef-4f46f6 137->138 139 4f46d3-4f46e2 call 4f42f0 137->139 142 4f46fc-4f4703 138->142 143 4f4738-4f473f 138->143 146 4f46e7-4f46e9 139->146 140->137 147 4f471c-4f472b call 4f42f0 142->147 148 4f4709-4f4712 142->148 144 4f4745-4f475b call 4f42f0 143->144 145 4f4761-4f4768 143->145 144->132 144->145 150 4f476e-4f4784 call 4f42f0 145->150 151 4f478a-4f4791 145->151 146->132 146->138 157 4f4730-4f4732 147->157 148->147 152 4f4718 148->152 150->132 150->151 151->132 156 4f4797-4f47a4 call 4f4329 151->156 152->147 156->132 157->132 157->143
      APIs
      • PathAddExtensionA.KERNELBASE(?,00000000), ref: 004F46B1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: ExtensionPath
      • String ID: \\?\
      • API String ID: 158807944-4282027825
      • Opcode ID: e3b79a1aa35b89bb1e83d32c470565eb2cc72a09bf3a751f1ceff7eb189606e9
      • Instruction ID: 4180d232f144239a9e004ae818fa0c5ec62680671d701c37982302f2677ee5c8
      • Opcode Fuzzy Hash: e3b79a1aa35b89bb1e83d32c470565eb2cc72a09bf3a751f1ceff7eb189606e9
      • Instruction Fuzzy Hash: 32313E3960060EBFDF21DF94CC09BAF77B5BF89344F041066FA00A51A0DB7A9662DB59
      Function 004F5D5E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 161 4f5d5e-4f5d71 call 4f409c 164 4f5d77-4f5d83 call 4f47ae 161->164 165 4f5db4-4f5dc8 call 4f4147 GetModuleHandleExA 161->165 168 4f5d88-4f5d8a 164->168 170 4f5dd2-4f5dd4 165->170 168->165 171 4f5d90-4f5d97 168->171 172 4f5d9d 171->172 173 4f5da0-4f5dcd call 4f4147 171->173 172->173 173->170
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 004F5DC2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentHandleModuleSleepThread
      • String ID: .dll
      • API String ID: 683542999-2738580789
      • Opcode ID: a0aff10658118a50b7ed5ba99cf4695d5d4ab9b4d829f4db47858ca52f8f07e6
      • Instruction ID: b0e5bcf5ef9798db214ff14edb932ccf7f86242659214ae118984e8a54312bde
      • Opcode Fuzzy Hash: a0aff10658118a50b7ed5ba99cf4695d5d4ab9b4d829f4db47858ca52f8f07e6
      • Instruction Fuzzy Hash: E4F06D7510060DBFDF10EF54C949BBB3BA6BF48304F10801AFF148A152DB38C4A09A25
      Function 004F87EB Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 204 4f87eb-4f87f9 205 4f87ff-4f8806 204->205 206 4f880b 204->206 207 4f8812-4f881e call 4f409c 205->207 206->207 210 4f8839-4f8849 call 4f879d 207->210 211 4f8824-4f882e call 4f86f8 207->211 216 4f884f-4f8856 210->216 217 4f885b-4f8869 call 4f47ae 210->217 211->210 218 4f8834 211->218 219 4f887a-4f887f 216->219 217->219 224 4f886f-4f8870 call 4f5ff2 217->224 218->219 222 4f88a8-4f88bd CreateFileA 219->222 223 4f8885-4f88a3 CreateFileW 219->223 225 4f88c3-4f88c4 222->225 223->225 228 4f8875 224->228 227 4f88c9-4f88d0 call 4f4147 225->227 228->227
      APIs
      • CreateFileW.KERNELBASE(00B401D4,?,?,-11FA5FEC,?,?,?,-11FA5FEC,?), ref: 004F889D
        • Part of subcall function 004F879D: IsBadWritePtr.KERNEL32(?,00000004), ref: 004F87AB
      • CreateFileA.KERNEL32(?,?,?,-11FA5FEC,?,?,?,-11FA5FEC,?), ref: 004F88BD
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile$Write
      • String ID:
      • API String ID: 1125675974-0
      • Opcode ID: 31d0120efaa08abb71d66b625572863fc6cac0ea4b376b2c694e9b0e7f9e585d
      • Instruction ID: f2acb998b61bf6220192566825aa4f94a12a0095b804eeeaabacc0611f8ee2fc
      • Opcode Fuzzy Hash: 31d0120efaa08abb71d66b625572863fc6cac0ea4b376b2c694e9b0e7f9e585d
      • Instruction Fuzzy Hash: 46110B3510454EFADF22AF90CC09BAE3B71BF19384F44412EBB01590A0CB7A85A1EB55
      Function 004F8157 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 231 4f8157-4f816d call 4f409c GetCurrentProcess 234 4f81af-4f81d1 call 4f4147 DuplicateHandle 231->234 235 4f8173-4f8176 231->235 240 4f81db-4f81dd 234->240 235->234 237 4f817c-4f817f 235->237 237->234 239 4f8185-4f8198 call 4f3ef6 237->239 239->234 243 4f819e-4f81d6 call 4f5ef4 call 4f4147 239->243 243->240
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • GetCurrentProcess.KERNEL32(-11FA5FEC), ref: 004F8164
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 004F81CA
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: Current$DuplicateHandleProcessSleepThread
      • String ID:
      • API String ID: 2846201637-0
      • Opcode ID: 1a5720357432eb57badb9dd0a0e18f6dbe355519c63d82ece89db2ffa584d215
      • Instruction ID: 1fcec44cb1ed936e1ba3fe748da53515ce134c5f306a8381235e553a6e29b4ab
      • Opcode Fuzzy Hash: 1a5720357432eb57badb9dd0a0e18f6dbe355519c63d82ece89db2ffa584d215
      • Instruction Fuzzy Hash: E0012C3210004EFA8F226FA5CD45CAF3B79BF98354B00421AFB0559011CF39D162DB66
      Function 004F409C Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 248 4f409c-4f40b2 GetCurrentThreadId 249 4f40b4-4f40c0 248->249 250 4f40fb-4f4108 call 4faf1b 249->250 251 4f40c6-4f40c8 249->251 251->250 253 4f40ce-4f40d5 251->253 254 4f40db-4f40e2 253->254 255 4f40ea-4f40f6 Sleep 253->255 254->255 257 4f40e8 254->257 255->249 257->255
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 004F40AB
      • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentSleepThread
      • String ID:
      • API String ID: 1164918020-0
      • Opcode ID: 5c19f2deca103100482cd085eaa0f4fd230abf971eaa0b73000b24d73b738ed0
      • Instruction ID: 8d39d6a9cd5afa6421dc762cdb634b87bd6dca335b56bcbad5c2fe86f1995f8e
      • Opcode Fuzzy Hash: 5c19f2deca103100482cd085eaa0f4fd230abf971eaa0b73000b24d73b738ed0
      • Instruction Fuzzy Hash: CCF0B47510460AEFCB218F60C95877F72B4FF84319F20407AD70185140DFB81A96DA96
      Function 004A370E Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 266 4a370e-4a3712 LoadLibraryA 267 4a3723-4a387c 266->267 270 4a387e-4a38a9 267->270 273 4a38ab-4a38ad 270->273
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: b3dbd53376ab5a211be96031519e457a62aca27418fedde5e68a2eefcd4e28a3
      • Instruction ID: c82a8136b299091b3e4d77e3b813d9923c3ac12113f4107f2fa0d8e3bf015464
      • Opcode Fuzzy Hash: b3dbd53376ab5a211be96031519e457a62aca27418fedde5e68a2eefcd4e28a3
      • Instruction Fuzzy Hash: D3415FF650C600AFE705AE19DC41B7ABBE9EFC4360F16882DE6C5C3210D63588518B57
      Function 00501A7A Relevance: 1.6, APIs: 1, Instructions: 112COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 274 501a7a-501a88 275 501aab-501ab5 call 50190f 274->275 276 501a8e-501aa0 274->276 280 501ac0-501ac9 275->280 281 501abb 275->281 276->275 282 501aa6 276->282 284 501ae1-501ae8 280->284 285 501acf-501ad6 280->285 283 501c0a-501c0c 281->283 282->283 287 501af3-501b03 284->287 288 501aee 284->288 285->284 286 501adc 285->286 286->283 287->283 289 501b09-501b15 call 5019e4 287->289 288->283 292 501b18-501b1c 289->292 292->283 293 501b22-501b2c 292->293 294 501b32-501b45 293->294 295 501b53-501b56 293->295 294->295 300 501b4b-501b4d 294->300 296 501b59-501b5c 295->296 298 501c02-501c05 296->298 299 501b62-501b69 296->299 298->292 301 501b97-501bb0 299->301 302 501b6f-501b75 299->302 300->295 300->298 308 501bb6-501bc4 301->308 309 501bc9-501bd1 VirtualProtect 301->309 303 501b92 302->303 304 501b7b-501b80 302->304 306 501bfa-501bfd 303->306 304->303 305 501b86-501b8c 304->305 305->301 305->303 306->296 310 501bd7-501bda 308->310 309->310 310->306 311 501be0-501bf9 310->311 311->306
      Memory Dump Source
      • Source File: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4ea8863d39bc55f4f9bdcf116b13bafdc59bdc4b64808bc2dbb600d042e828b4
      • Instruction ID: 5f25f559c3923e4be51c46df0c06e6c53400d346418b35d98b31927d0315e29c
      • Opcode Fuzzy Hash: 4ea8863d39bc55f4f9bdcf116b13bafdc59bdc4b64808bc2dbb600d042e828b4
      • Instruction Fuzzy Hash: E24179B1900A0AEFEB25CF24C944BAE7FA5FF44315F248495E502AB1C1D371AC90CF9A
      Function 004F67D6 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 314 4f67d6-4f67e7 315 4f67ed-4f6801 call 4f417a 314->315 316 4f6816-4f681f call 4f417a 314->316 326 4f6904 315->326 327 4f6807-4f6815 315->327 321 4f68fc-4f68ff call 4f419f 316->321 322 4f6825-4f6836 call 4f5fb8 316->322 321->326 330 4f683c-4f6840 322->330 331 4f6856-4f6895 CreateFileA 322->331 329 4f690b-4f690f 326->329 327->316 335 4f6846-4f6852 call 4fb040 330->335 336 4f6853 330->336 332 4f689b-4f68b8 331->332 333 4f68b9-4f68bc 331->333 332->333 337 4f68ef-4f68f7 call 4f5e47 333->337 338 4f68c2-4f68d9 call 4f3ebc 333->338 335->336 336->331 337->326 338->329 346 4f68df-4f68ea call 4f5eb5 338->346 346->326
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 004F688B
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: b91dde425f675792093e8df7e158052d99c239f4573de3319885d79c895b431a
      • Instruction ID: 4c2fcd919ff8d2822dc94228f60039a0ec0dcbb8c6db83878ff76aefc6dd3768
      • Opcode Fuzzy Hash: b91dde425f675792093e8df7e158052d99c239f4573de3319885d79c895b431a
      • Instruction Fuzzy Hash: F931B07190020DFADF20AF65DC45FAEB7B8FF08718F20816EF600AA191D7799A51CB18
      Function 004A6C6A Relevance: 1.6, APIs: 1, Instructions: 102fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 4add8fccf159be4ae6ae0c6db3ceffba09cce4774f9edb1c2dc7221bd4c22600
      • Instruction ID: 023d623ca257393b7d2e759908cc7f8a6431cb31538e5ce61480134ac7400c26
      • Opcode Fuzzy Hash: 4add8fccf159be4ae6ae0c6db3ceffba09cce4774f9edb1c2dc7221bd4c22600
      • Instruction Fuzzy Hash: CD1127F62082517DF301CA55AF60AFB6BBDD6E7770B3A841BF481C6502C2580D4AA23A
      Function 004F5FF2 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 004F6074
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 1ae823c769f37cc3c6436f61f06e9a6beb6b36027de03c1077f46cab4e0a7355
      • Instruction ID: d4e1c63056c844e2364c4b8585ba1463e2cbae2f2bd8d4011ba34a547a0f2f17
      • Opcode Fuzzy Hash: 1ae823c769f37cc3c6436f61f06e9a6beb6b36027de03c1077f46cab4e0a7355
      • Instruction Fuzzy Hash: 0E31F775540209BEEB30DF64DC46FAA77B8EF04728F20425AF710EA1D1C7B5A541CB58
      Function 004A6DF2 Relevance: 1.6, APIs: 1, Instructions: 91fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: bd832d3e515f03f3f64f7789b184774ed5f3a403abae79ccd5692e5468466c27
      • Instruction ID: 8b04c4f437ba752d083d1700bdf8941375e1eb6d88cecf14f07372f62a677fa1
      • Opcode Fuzzy Hash: bd832d3e515f03f3f64f7789b184774ed5f3a403abae79ccd5692e5468466c27
      • Instruction Fuzzy Hash: C511A7FF2481517DB502CA55EF509FB776EE6E773073A842BF402C5506D69D0D092139
      Function 004A6E1C Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: e2e60eb68373eb1d19ee5d39b5d0912b3e6119d1c7fb40517e654ae16414c1bf
      • Instruction ID: d18566bdc7e78a23ea16b4ec2d73fd4a6a4bf7fd98af61254696b9d263eeaad4
      • Opcode Fuzzy Hash: e2e60eb68373eb1d19ee5d39b5d0912b3e6119d1c7fb40517e654ae16414c1bf
      • Instruction Fuzzy Hash: EA0188FB14C2517EF602CA55EE50AFB77ADE6D7730B35842BF402C2502D7A90D096636
      Function 005017C7 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00501874
      Memory Dump Source
      • Source File: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: FileModuleName
      • String ID:
      • API String ID: 514040917-0
      • Opcode ID: c4fe10d3e3ca5d3986d9bf95be9bfdf0415d8b5857810f6635464affed623498
      • Instruction ID: c05cd086b609f928d3fd412af9ba299accf34fa280661a65b5650a9ada783840
      • Opcode Fuzzy Hash: c4fe10d3e3ca5d3986d9bf95be9bfdf0415d8b5857810f6635464affed623498
      • Instruction Fuzzy Hash: 1E119672E01A259FFB204A44CC48BEE7BACFF44750F64C095EC05960C1D7749E818BAA
      Function 004A6CB3 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: ecadd5688fa92675b630bde9c279aeb30f0aa46e9ff10667571d060521da38bd
      • Instruction ID: 6b9326acbf9a6ba43cf713f3eed6275186c32d716c0ded92c64ac8aeab65bded
      • Opcode Fuzzy Hash: ecadd5688fa92675b630bde9c279aeb30f0aa46e9ff10667571d060521da38bd
      • Instruction Fuzzy Hash: 450147FA2082157CF301CE04AB60BFB63BDD2E6B70B3A881FF881C5542C2590D49523E
      Function 004A6E44 Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 32c6fd52180b0bad8922e5853b9b9e78e07b504b3a4d3fbe9d8baecb5ea439d7
      • Instruction ID: 23833dde7cf301f66fa5f9c3cc1646ff2e2597b71db315487be121897f3e10c8
      • Opcode Fuzzy Hash: 32c6fd52180b0bad8922e5853b9b9e78e07b504b3a4d3fbe9d8baecb5ea439d7
      • Instruction Fuzzy Hash: FD0136FB14C2517DB501CA55AF50AFB779DE6D7730B35882BF402C6506D2A90D092639
      Function 04960D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04960DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 032d03de3c7cf3ee9cf5f21523131583780a7e4166c01c72993c7ae59ce4309a
      • Instruction ID: 4c1371fb1a98ac02492880a3b1a7e21e38afa75d13b024e784e13070575f988f
      • Opcode Fuzzy Hash: 032d03de3c7cf3ee9cf5f21523131583780a7e4166c01c72993c7ae59ce4309a
      • Instruction Fuzzy Hash: BB2104B6C013199FCB50CF99D884ADEFBF4FB88720F14862AD909AB245D774A540CBA4
      Function 04960D43 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04960DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 5b9c2991b6011668feab17980c97bde07ca02fa62d3922abe8524f3604177fcd
      • Instruction ID: aa7f6f82856b66c87a24295a0895d1b575eef9599460dacac594d402ea611f78
      • Opcode Fuzzy Hash: 5b9c2991b6011668feab17980c97bde07ca02fa62d3922abe8524f3604177fcd
      • Instruction Fuzzy Hash: 6F2134B6C013098FCB40CFA9D480ADEFBF5BB88320F14822AD909AB245C774A541CBA4
      Function 04961510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04961580
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 623444d71a3ee44f6a96525f7e199a2ace3b7bd8ffdd1797b1770149b2613576
      • Instruction ID: 73df644625b1bfb9ea479765075ab5d1d78f7e8b8944edc60133bb065a2de860
      • Opcode Fuzzy Hash: 623444d71a3ee44f6a96525f7e199a2ace3b7bd8ffdd1797b1770149b2613576
      • Instruction Fuzzy Hash: D51103B29003499FDB10CFAAC584BDEFBF4AB48320F10842AE519A3240D378A644CFA5
      Function 04961509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04961580
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 2215f83058765ebaeb7dd164fc2eb22ab250a96ed12b54abf630aa605ee80cef
      • Instruction ID: 23159f7fb61e5c207fb9708bf9a424eeb830aa12fac1e3c65918f132c227e032
      • Opcode Fuzzy Hash: 2215f83058765ebaeb7dd164fc2eb22ab250a96ed12b54abf630aa605ee80cef
      • Instruction Fuzzy Hash: 5E2103B6900349CFDB10CFAAC584BDEFBF4AB48320F14842AD559A7250D778A654CFA5
      Function 004F9323 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11FA5FEC), ref: 004F93AA
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentFileSleepThreadView
      • String ID:
      • API String ID: 2270672837-0
      • Opcode ID: 16829569707f2360fc984357035402dafb50777c2824fd5356ba8d3e726a2ebf
      • Instruction ID: 475fa739d9369e7f27849a2c4e6317cf05878d038a1498fce8e129ae8af3227e
      • Opcode Fuzzy Hash: 16829569707f2360fc984357035402dafb50777c2824fd5356ba8d3e726a2ebf
      • Instruction Fuzzy Hash: 8411E83210454EFBCF126FA5CD09EAB3AA6BF4D344B014516FB1155065C73A8872EB6A
      Function 004F910B Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentSleepThread
      • String ID:
      • API String ID: 1164918020-0
      • Opcode ID: 4a28735ff65659e84e7297bc8eeff0679555a6882c23ef907d873eeaafb77b38
      • Instruction ID: 88d290e01d998c5717b71bdb0880c8399eb49ff99e81d8cec5ec19725942bba7
      • Opcode Fuzzy Hash: 4a28735ff65659e84e7297bc8eeff0679555a6882c23ef907d873eeaafb77b38
      • Instruction Fuzzy Hash: FB113C3210010FEADF12AFA5CA0DFBF3A7AAF48344F144026FB1146165CB39CA66EB55
      Function 004A6E64 Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: e0ec247daa5152f1689ae89582e041db2da4d092f0ed5df236523f049ae9c74a
      • Instruction ID: 5f73f7e65f5939485ca791a98a102d9e2db7932d908ee51fbdf3af6419990a06
      • Opcode Fuzzy Hash: e0ec247daa5152f1689ae89582e041db2da4d092f0ed5df236523f049ae9c74a
      • Instruction Fuzzy Hash: 05F090FB14C2557DF201CE51AEA0AFBB7ADE6C2330B31882BF402C6502D2A90D0D2639
      Function 04961301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 04961367
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 7f7cc5e39d64127beb76a308f924499af8fc13af2a74eb14d5ab1ddbd2297c67
      • Instruction ID: 6a9df44dcb17514334f6cf3ff79d7e4320e785b079bcdf0a611f54b182fbb4e4
      • Opcode Fuzzy Hash: 7f7cc5e39d64127beb76a308f924499af8fc13af2a74eb14d5ab1ddbd2297c67
      • Instruction Fuzzy Hash: 851143B1800209CFDB10CF9AC545BEEFBF4EF48324F20842AD519A3240D778A544CBA5
      Function 04961308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 04961367
      Memory Dump Source
      • Source File: 00000000.00000002.2331037755.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4960000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 02296b36ce13df5ea3740394eb1033d9ac0ac0226732734094faf04fe43ae344
      • Instruction ID: 95012ce88d57e95dc693ec4d5a81f9a7721e7647e5d8576416eb3f2854177c90
      • Opcode Fuzzy Hash: 02296b36ce13df5ea3740394eb1033d9ac0ac0226732734094faf04fe43ae344
      • Instruction Fuzzy Hash: 081125B1800349CFDB10CF9AC545BDEFBF8AB48724F24842AD559A3640D778A544CBA5
      Function 004F89EF Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11FA5FEC,?,?,004F671E,?,?,00000400,?,00000000,?,00000000), ref: 004F8A5B
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentFileReadSleepThread
      • String ID:
      • API String ID: 1253362762-0
      • Opcode ID: 878a84821de4bceb33ff354172290cfbe2d523dc66b950dfb2b7743035a5d356
      • Instruction ID: a3b1e53b0ffd7bcd99a5c45dfb5e3b4e1737d85ae5e3b084166660deee8efc7f
      • Opcode Fuzzy Hash: 878a84821de4bceb33ff354172290cfbe2d523dc66b950dfb2b7743035a5d356
      • Instruction Fuzzy Hash: A0F0F63260010EEFCF125FA5D909DAF3B66EF88344F00411BFB115A121DB3AD5A2AB65
      Function 004B10BB Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 19360442d330afcf4d8f83734d75f6a43d63f3849588a99d132c0a35befc9e76
      • Instruction ID: aedf49fd72b0d21b3dc192b7c93e7152fdaa1c6edb7aff8447a7035581d06796
      • Opcode Fuzzy Hash: 19360442d330afcf4d8f83734d75f6a43d63f3849588a99d132c0a35befc9e76
      • Instruction Fuzzy Hash: 19F0547251C510DFD3015E19D98087AF7EAAF98350F260C2FE9C5C7250D6B81C519767
      Function 004F59D2 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(004F5188,004F5188), ref: 004F5A1D
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AddressProc
      • String ID:
      • API String ID: 190572456-0
      • Opcode ID: 37332bc96ef4b926ff6c5bc13e6f5134ab6838c4411ebb7322e4b87f2ebde282
      • Instruction ID: 73f02c0c5478d7e3d1bc7a412c49ca5a76e0ecb3d7aaba25d613c1f421091294
      • Opcode Fuzzy Hash: 37332bc96ef4b926ff6c5bc13e6f5134ab6838c4411ebb7322e4b87f2ebde282
      • Instruction Fuzzy Hash: 15E0923560080DFA8F123FB2ED0A87F3E65AF90358B008127BB1598021DF7DC5A3D629
      Function 004A6B5B Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 78198e188576101d2042d135f8b789000ae65d1ce5e518ee4bb222cbeed626b7
      • Instruction ID: 0cab62ae9cfccd2c1bbc72f9ebb62b69da332f9bdeedefed03470143592786f6
      • Opcode Fuzzy Hash: 78198e188576101d2042d135f8b789000ae65d1ce5e518ee4bb222cbeed626b7
      • Instruction Fuzzy Hash: 21D095A110F2B11ED2021AF1098477E77495BF7315F2580BA6081C71D3FD5450023764
      Function 004A6B43 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 511e2cbfc46961a986d6e589209aa204294660e9aaea2e8488350c42a4a29980
      • Instruction ID: 49d3ef54c1646b2ed4df9f2b7e8be9d3437ff5fc83122d669e8d563eb437b11c
      • Opcode Fuzzy Hash: 511e2cbfc46961a986d6e589209aa204294660e9aaea2e8488350c42a4a29980
      • Instruction Fuzzy Hash: 94D095775492771DCA01DF044D90A7D31CC4773715F1E0C791840D30C1C59C7805457C
      Function 004A6E90 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: e5bd853f31be1880a606a68c34d7be36ba5ccce1c075e7abbbc7a68e64436499
      • Instruction ID: cd5a0ea60144fe00d18a0c4e208c0976b237872024f2e55981f9ecffaee18e21
      • Opcode Fuzzy Hash: e5bd853f31be1880a606a68c34d7be36ba5ccce1c075e7abbbc7a68e64436499
      • Instruction Fuzzy Hash: ABE0C276148256AED704EF25CCE0A6FB7D9EB66341F45441F94538B681C6390C168B2D
      Function 004A6EAA Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,004A6DEE,00000003,00000000,00000003), ref: 004A6EBE
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 900127ba9f5f0571a2559faa264658f14ccd9d71fc288d62e55c76d3f8ff274c
      • Instruction ID: fa4198dfc4a9b6cf900332547be8975aea5411146972bf238ba430bab43e408c
      • Opcode Fuzzy Hash: 900127ba9f5f0571a2559faa264658f14ccd9d71fc288d62e55c76d3f8ff274c
      • Instruction Fuzzy Hash: 5FD02EB2108326DFCBA0EF38CCD0B5E3392EBA2A20F058219D0508B5C1D2694C01A728
      Function 004F426D Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: lstrcmpi
      • String ID:
      • API String ID: 1586166983-0
      • Opcode ID: 428353cd3c740191bc3a4466812cd069536bf8e0f77511902c4365e1f39c1d3a
      • Instruction ID: a65dd7983ac0dcd1f6d428878807f827e3c65bc3a63875486459c78650f71a19
      • Opcode Fuzzy Hash: 428353cd3c740191bc3a4466812cd069536bf8e0f77511902c4365e1f39c1d3a
      • Instruction Fuzzy Hash: EA01C439A0010EBBCF219FA5CC05DAFBB7AEF88380F0011A6B501A5161DB369661DA68
      Function 005013F1 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,005013ED,?,?,005010F3,?,?,005010F3,?,?,005010F3), ref: 00501411
      Memory Dump Source
      • Source File: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: ac13f3a7586780dc8a59f6504f0fbcbb9913ccf9289819b39f74fb51765b3ea7
      • Instruction ID: 470ae33b2985bfe6749812b6c9f3f3eaef6926fffc9cd12db9469766cc59f9a2
      • Opcode Fuzzy Hash: ac13f3a7586780dc8a59f6504f0fbcbb9913ccf9289819b39f74fb51765b3ea7
      • Instruction Fuzzy Hash: 0DF081B5900305EFDB258F14C905B5DBFB8FF84765F108064F44AAB6A1D3B198C0CB95
      Function 004F6DF0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • CloseHandle.KERNELBASE(004F67B3,-11FA5FEC,?,?,004F67B3,?), ref: 004F6E2E
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CloseCurrentHandleSleepThread
      • String ID:
      • API String ID: 4003616898-0
      • Opcode ID: 01703ff38b0c5c77bf4917aed074cbc06d53515f47ac8de90b0ada84dfa5fa21
      • Instruction ID: b4f473d275d3b0697ecf4eabff9aa655a5b453b71d7a25d26aeda1c8038fe3fa
      • Opcode Fuzzy Hash: 01703ff38b0c5c77bf4917aed074cbc06d53515f47ac8de90b0ada84dfa5fa21
      • Instruction Fuzzy Hash: 09E0127A60454EB5CE217F7DC80ED6F2E299FD5348B000127B70556055DE6891968629
      Function 0032EC69 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 0032F969
      Memory Dump Source
      • Source File: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 3311077b29460bd726222e22c9a55b30d2e951cf3986366527b8116fb79e9478
      • Instruction ID: 1446b53975dbb3b537321e7f5491f4160b0d5805e8b08852162c19f30703ae16
      • Opcode Fuzzy Hash: 3311077b29460bd726222e22c9a55b30d2e951cf3986366527b8116fb79e9478
      • Instruction Fuzzy Hash: 1AF092F550CB109FD701AF2AD9853ADFAF4EF94720F06482EDAC487650E3700881CB86
      Function 0032EB92 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 0032ED60
      Memory Dump Source
      • Source File: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: f16b54c9b780d550941a073ab28694e63544bd2cf5407c946e4a85ae75944321
      • Instruction ID: a289c3b5b8ef090d0842b757afc2f343236ab03fbae6bc58ed10bfab6c8a8eec
      • Opcode Fuzzy Hash: f16b54c9b780d550941a073ab28694e63544bd2cf5407c946e4a85ae75944321
      • Instruction Fuzzy Hash: 75E039B14083189FD3022F3AE40A2EEB7A8EF15720F10851EF8954AA80D6B08C909F47
      Function 004F5EB5 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(?,?,004F3F3B,?,?), ref: 004F5EBB
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: c3f17c405cb21df37a6df50fcd48f3e821b13357b2c380101c2458b390dfb729
      • Instruction ID: ed4e513926da914f44fec31d0621a60d3550ec5d31e3de6b3722daaf99dff86e
      • Opcode Fuzzy Hash: c3f17c405cb21df37a6df50fcd48f3e821b13357b2c380101c2458b390dfb729
      • Instruction Fuzzy Hash: A9B0923900460DBBCF11BF52DC0684EBF79FF1A398B008125BA05454628BB6EA719BD4

      Non-executed Functions

      Function 004F81E9 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
      • GetSystemTime.KERNEL32(?,-11FA5FEC), ref: 004F821E
      • GetFileTime.KERNEL32(?,?,?,?,-11FA5FEC), ref: 004F8261
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: Time$CurrentFileSleepSystemThread
      • String ID:
      • API String ID: 3818558864-0
      • Opcode ID: 471c4a46d4d214cf972c814bc049a9a053b7bfa977852d0915cf0089a7fde846
      • Instruction ID: b6e702f69b5c06fee50722611eb827446b93ed3a154ef0a93d232a1ce89a0ae0
      • Opcode Fuzzy Hash: 471c4a46d4d214cf972c814bc049a9a053b7bfa977852d0915cf0089a7fde846
      • Instruction Fuzzy Hash: BB011A3250444EEBCF225F6AD80CDAF3F79EFC5310B00412AFA1149461CF36E4A1EA26
      Function 0032DDDC Relevance: 1.5, Strings: 1, Instructions: 292COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID: NTDL
      • API String ID: 0-3662016964
      • Opcode ID: e84fb7ba6c499fda33d1873584c743e9dabca7fa22620a4551e281deb51d27ea
      • Instruction ID: f8daa0fa66d87c3c13beb355b1655e617e0def500f7147426226900127d2bd88
      • Opcode Fuzzy Hash: e84fb7ba6c499fda33d1873584c743e9dabca7fa22620a4551e281deb51d27ea
      • Instruction Fuzzy Hash: F291D07290822EDFCB02DF25E6062EF77A4FF55720F25852AE84287A41D3B25D11EF49
      Function 004F90A7 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 004F90EE
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CryptSignatureVerify
      • String ID:
      • API String ID: 1015439381-0
      • Opcode ID: 7a26f4aebed9d4bb08812ad0a23fd12ce539fbb3afe98ab41e1ae7245100ed3f
      • Instruction ID: 306f2c916d97e27189b05e6e10859a2facde5b583cc0fdacd8c6ad39becde787
      • Opcode Fuzzy Hash: 7a26f4aebed9d4bb08812ad0a23fd12ce539fbb3afe98ab41e1ae7245100ed3f
      • Instruction Fuzzy Hash: FDF0D43660410EFFCF11CF94CA44A9C7BB2FF09344B108126AA0596150DB769AA1EF44
      Function 004A4BD5 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID: R
      • API String ID: 0-1466425173
      • Opcode ID: cb347f05f33e1c74230c6690e200bbe9f1fc8a91d9b8fc78b6c871651b15e8b8
      • Instruction ID: f13f36f0dbe1fb20029255abd32c78888985476457cb0811e4e2a9254a43cfcf
      • Opcode Fuzzy Hash: cb347f05f33e1c74230c6690e200bbe9f1fc8a91d9b8fc78b6c871651b15e8b8
      • Instruction Fuzzy Hash: 735168B140864EDFDB01DF24CA85AAF7BB4EF19310F11092AED8582A11E7364D64DF5E
      Function 004A8202 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID: :~
      • API String ID: 0-48370668
      • Opcode ID: 18b92fd2286eea7011e5cf14900b373a191471cf1a05e3b7eb666f0f6549654e
      • Instruction ID: ad1f56e0e059cdda1a2b321c1761a647295499e48bbda84eb530c9f12e93c6f9
      • Opcode Fuzzy Hash: 18b92fd2286eea7011e5cf14900b373a191471cf1a05e3b7eb666f0f6549654e
      • Instruction Fuzzy Hash: 0F3126B150C304AFE31ABF58D88266EFBE8FF18310F06492DE6C582651EB755850CB97
      Function 004A435E Relevance: .1, Instructions: 124COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5e9b422eb15b25156ea39f7baa39d8899f2e3ae0d1bbf2b945cdbc9bdfb7803a
      • Instruction ID: 3498318d1fd2b3609746f0983ade9795d3ac77b65b68934e2bb839f8559c75bc
      • Opcode Fuzzy Hash: 5e9b422eb15b25156ea39f7baa39d8899f2e3ae0d1bbf2b945cdbc9bdfb7803a
      • Instruction Fuzzy Hash: 32413AB250C610AFE702AF29D8416AEFBF5EF98320F06492DE6C4D3650D7359950CB97
      Function 004B7DA6 Relevance: .0, Instructions: 21COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f7680ae1cb260e913c2ef1e2aae19ee925c696635c017fce3f2125a817e3716c
      • Instruction ID: 1c1ca142f5dad7842b89ba3d580685fecc55f6fe1e0e5f4507eecd325ff6659d
      • Opcode Fuzzy Hash: f7680ae1cb260e913c2ef1e2aae19ee925c696635c017fce3f2125a817e3716c
      • Instruction Fuzzy Hash: 42E04F760041059EC7009F54C84599FFBF8FF59310F208445F444C7322C2364C41DB39
      Function 004F771F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004F409C: GetCurrentThreadId.KERNEL32 ref: 004F40AB
        • Part of subcall function 004F409C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 004F40EE
        • Part of subcall function 004F879D: IsBadWritePtr.KERNEL32(?,00000004), ref: 004F87AB
      • wsprintfA.USER32 ref: 004F7765
      • LoadImageA.USER32(?,?,?,?,?,?), ref: 004F7829
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2325784771.00000000004F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
      • Associated: 00000000.00000002.2324462057.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324581311.0000000000322000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324656924.0000000000326000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324736965.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324803594.0000000000334000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324852174.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2324903944.0000000000336000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325342030.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325426870.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325523028.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325625619.00000000004B5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325667126.00000000004B6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325713305.00000000004DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325739146.00000000004DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325758559.00000000004E5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325807974.00000000004FD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325828855.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325857838.000000000050F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325880356.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325903341.0000000000514000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325927335.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325953133.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325971040.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2325997100.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326022019.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326044235.0000000000534000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326066704.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326088781.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326109683.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326147491.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326173431.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326198150.000000000054A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326223519.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326250962.0000000000570000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326282743.0000000000571000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326324408.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326347527.00000000005A2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326369075.00000000005AB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326395774.00000000005AF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B0000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326419200.00000000005B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326486060.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2326514430.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_320000_file.jbxd
      Similarity
      • API ID: CurrentImageLoadSleepThreadWritewsprintf
      • String ID: %8x$%8x
      • API String ID: 2375920415-2046107164
      • Opcode ID: a36b30792a0ce448d64de1d201202e18129c85734a420f55e33c2bbb8997dc33
      • Instruction ID: 2cf4f4d1678af75c7b5cdcbe03d8df8ef8ba15d75424dc07ffa36760b24c2ba2
      • Opcode Fuzzy Hash: a36b30792a0ce448d64de1d201202e18129c85734a420f55e33c2bbb8997dc33
      • Instruction Fuzzy Hash: 0531267190010AFFCF11AF95DC09EAEBB79FF89300F108126B611A61A0D7759A61DB64