Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1563925
MD5:5c6793c38e495450cfaad82f97cdb333
SHA1:82450ddb586697958df0b3d1a034592a52f0de02
SHA256:68773dedc7b901d281897c8a79eeb4af1f56c307b8bf735485df770832c451ff
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5C6793C38E495450CFAAD82F97CDB333)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABE240 CryptVerifySignatureA,0_2_00ABE240
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2352663718.0000000005130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66B860_2_00A66B86
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66C030_2_00A66C03
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6AE8D0_2_00A6AE8D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6AE0B0_2_00A6AE0B
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AB9235 appears 35 times
Source: file.exe, 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2488714939.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: .vbpO
Source: file.exeBinary or memory string: XC.vbP
Source: classification engineClassification label: mal100.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 47%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: nRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeR
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2748416 > 1048576
Source: file.exeStatic PE information: Raw size of zkteabrp is bigger than: 0x100000 < 0x299000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2352663718.0000000005130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W;zkteabrp:EW;oljfpuhd:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a01ac should be: 0x2ab639
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: zkteabrp
Source: file.exeStatic PE information: section name: oljfpuhd
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66D38 push 62F575FDh; mov dword ptr [esp], ecx0_2_00A66D75
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push esi; mov dword ptr [esp], ecx0_2_00A66EA2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push ecx; mov dword ptr [esp], esi0_2_00A66ED9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push ecx; mov dword ptr [esp], esp0_2_00A66EF9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push ebp; mov dword ptr [esp], eax0_2_00A66F16
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push ebx; mov dword ptr [esp], edi0_2_00A66F1A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66E84 push 0EE7D28Ah; mov dword ptr [esp], ebp0_2_00A66F72
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A73F6A push eax; mov dword ptr [esp], edx0_2_00A774D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A73F6A push 07DF23FBh; mov dword ptr [esp], ecx0_2_00A774E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A73F6A push esi; mov dword ptr [esp], ecx0_2_00A7763B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ED082 push edi; mov dword ptr [esp], 2B539B94h0_2_008ED39F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10AC push 73B4ED95h; mov dword ptr [esp], eax0_2_008F1D81
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10AC push eax; mov dword ptr [esp], 2C6927FCh0_2_008F1D85
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10AC push edx; mov dword ptr [esp], esp0_2_008F1D90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC3084 push 32B5F6A5h; mov dword ptr [esp], ecx0_2_00AC30C3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A690E5 push ebx; ret 0_2_00A6916F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A0ED push ecx; mov dword ptr [esp], edx0_2_00A7A100
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10DD push 1E553576h; mov dword ptr [esp], edx0_2_008F0AB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10DD push 63FFC35Ah; mov dword ptr [esp], ebx0_2_008F4B17
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10DD push esi; mov dword ptr [esp], edi0_2_008F4B1E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A680FF push 09B58861h; mov dword ptr [esp], esi0_2_00A684BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F20D3 push edi; mov dword ptr [esp], edx0_2_008F20D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10F1 push 5AC9AB60h; mov dword ptr [esp], ebx0_2_008F4502
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F10F1 push 530BC8D0h; mov dword ptr [esp], esp0_2_008F450A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7102A push ebp; mov dword ptr [esp], 5E2D31D6h0_2_00A7170E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B032 push eax; mov dword ptr [esp], 1EBF09D5h0_2_00A6B047
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B032 push ecx; mov dword ptr [esp], 545D0F01h0_2_00A6B0CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B032 push edi; mov dword ptr [esp], edx0_2_00A6B167
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A000 push ecx; mov dword ptr [esp], ebx0_2_00A7A013
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B01C push eax; mov dword ptr [esp], 1EBF09D5h0_2_00A6B047
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6B01C push ecx; mov dword ptr [esp], 545D0F01h0_2_00A6B0CD
Source: file.exeStatic PE information: section name: entropy: 7.79004401594624

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F5A7 second address: A4F5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F5AF second address: A4F5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCCD0C7C4B6h 0x0000000a jmp 00007FCCD0C7C4C9h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F5D3 second address: A4F5F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCCD0C2CFE0h 0x0000000a jl 00007FCCD0C2CFD6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCCD0C2CFD6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A66D4F second address: A66D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCCD0C7C4B6h 0x0000000c jnl 00007FCCD0C7C4B6h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6741A second address: A67446 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE7h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCCD0C2CFDFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67446 second address: A6744B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68DEB second address: A68DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68DEF second address: A68E00 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCCD0C7C4B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68E00 second address: A68E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FCCD0C2CFE6h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FCCD0C2CFDCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68ECD second address: A68EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCCD0C7C4BEh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68EE7 second address: A68EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68EEB second address: A68EFC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68EFC second address: A68F06 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68F06 second address: A68F2B instructions: 0x00000000 rdtsc 0x00000002 je 00007FCCD0C7C4B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007FCCD0C7C4C3h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68F2B second address: A68F7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jnl 00007FCCD0C2CFE8h 0x00000013 pop eax 0x00000014 mov dword ptr [ebp+122D2420h], edi 0x0000001a lea ebx, dword ptr [ebp+1244ECB3h] 0x00000020 add cl, FFFFFF8Eh 0x00000023 and ecx, 76A2EC16h 0x00000029 push eax 0x0000002a pushad 0x0000002b push ebx 0x0000002c je 00007FCCD0C2CFD6h 0x00000032 pop ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edx 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68FE7 second address: A690AF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FCCD0C7C4B8h 0x0000000c popad 0x0000000d push eax 0x0000000e jnp 00007FCCD0C7C4D1h 0x00000014 pushad 0x00000015 jmp 00007FCCD0C7C4C7h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d nop 0x0000001e je 00007FCCD0C7C4CBh 0x00000024 push 00000000h 0x00000026 je 00007FCCD0C7C4BCh 0x0000002c push 9BE60406h 0x00000031 jmp 00007FCCD0C7C4C7h 0x00000036 add dword ptr [esp], 6419FC7Ah 0x0000003d mov ecx, 6E1EE483h 0x00000042 push 00000003h 0x00000044 push 00000000h 0x00000046 push edx 0x00000047 call 00007FCCD0C7C4B8h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], edx 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc edx 0x0000005a push edx 0x0000005b ret 0x0000005c pop edx 0x0000005d ret 0x0000005e push 00000000h 0x00000060 mov esi, dword ptr [ebp+122D38D4h] 0x00000066 push 00000003h 0x00000068 push edi 0x00000069 mov esi, 1A1675E3h 0x0000006e pop edi 0x0000006f call 00007FCCD0C7C4B9h 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 jns 00007FCCD0C7C4B6h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A690AF second address: A690EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCCD0C2CFE5h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCCD0C2CFDEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A690EE second address: A690FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FCCD0C7C4BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A690FC second address: A69130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007FCCD0C2CFE6h 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 pushad 0x00000012 jmp 00007FCCD0C2CFDFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69130 second address: A69143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a js 00007FCCD0C7C4BEh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69143 second address: A691A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov dword ptr [ebp+122D1CBFh], edi 0x0000000c lea ebx, dword ptr [ebp+1244ECBCh] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FCCD0C2CFD8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c pushad 0x0000002d mov edi, dword ptr [ebp+122D3BF8h] 0x00000033 mov edx, dword ptr [ebp+122D3A74h] 0x00000039 popad 0x0000003a mov esi, 6D5706EBh 0x0000003f call 00007FCCD0C2CFDEh 0x00000044 mov esi, ecx 0x00000046 pop ecx 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b jnc 00007FCCD0C2CFD6h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6925B second address: A6926D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCCD0C7C4BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE1F second address: A7BE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A898AF second address: A898C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87771 second address: A877AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FCCD0C2CFDCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCCD0C2CFDCh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCCD0C2CFE8h 0x00000017 jnp 00007FCCD0C2CFD6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A877AF second address: A877BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A877BB second address: A877BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87A63 second address: A87A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87BCF second address: A87BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87BD3 second address: A87BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87BD9 second address: A87BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87BE2 second address: A87BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87D66 second address: A87D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87D70 second address: A87D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FCCD0C7C4B6h 0x0000000c popad 0x0000000d jmp 00007FCCD0C7C4C3h 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87D95 second address: A87D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87D9E second address: A87DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A87F73 second address: A87F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d jg 00007FCCD0C2CFDAh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCCD0C2CFE2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A880D1 second address: A880D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88248 second address: A8824C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886A2 second address: A886A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BE67 second address: A4BE6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BE6B second address: A4BE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8902D second address: A89031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89031 second address: A8903D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8903D second address: A8906E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE8h 0x00000007 jmp 00007FCCD0C2CFE5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8906E second address: A89090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jnc 00007FCCD0C7C4B6h 0x00000019 jnc 00007FCCD0C7C4B6h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89090 second address: A890AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFDEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCCD0C2CFD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A890AA second address: A890AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E3F3 second address: A8E3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E4C3 second address: A8E4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E4C7 second address: A8E517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCCD0C2CFDAh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jne 00007FCCD0C2CFE8h 0x0000001b mov eax, dword ptr [eax] 0x0000001d jnl 00007FCCD0C2CFDEh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007FCCD0C2CFD6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E517 second address: A8E51D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E51D second address: A8E522 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96002 second address: A96008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61C9E second address: A61CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCCD0C2CFF4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95CF8 second address: A95D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C8h 0x00000007 jc 00007FCCD0C7C4B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97F44 second address: A97F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97F48 second address: A97F80 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCCD0C7C4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FCCD0C7C4C9h 0x00000012 js 00007FCCD0C7C4B8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97F80 second address: A97FCA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FCCD0C2CFDCh 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FCCD0C2CFDEh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FCCD0C2CFDEh 0x00000021 pop eax 0x00000022 movzx esi, cx 0x00000025 call 00007FCCD0C2CFD9h 0x0000002a pushad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97FCA second address: A97FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jg 00007FCCD0C7C4C8h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97FF0 second address: A97FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCCD0C2CFD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97FFB second address: A9804B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FCCD0C7C4BBh 0x00000013 push edx 0x00000014 jbe 00007FCCD0C7C4B6h 0x0000001a pop edx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e js 00007FCCD0C7C4C3h 0x00000024 push esi 0x00000025 jmp 00007FCCD0C7C4BBh 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9804B second address: A98056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCCD0C2CFD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98428 second address: A9842C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9842C second address: A98430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9860B second address: A9860F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98A76 second address: A98A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FCCD0C2CFD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98AE9 second address: A98B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 push esi 0x00000007 jmp 00007FCCD0C7C4C7h 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e xchg eax, ebx 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FCCD0C7C4B8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov esi, dword ptr [ebp+122D27B4h] 0x0000002f push eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98DAB second address: A98DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98DAF second address: A98DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98E95 second address: A98E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98E99 second address: A98EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A98FB9 second address: A98FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99522 second address: A99528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99528 second address: A99550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FCCD0C2CFE1h 0x0000000e jmp 00007FCCD0C2CFDAh 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99550 second address: A99556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99556 second address: A99599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jno 00007FCCD0C2CFDCh 0x0000000d mov dword ptr [ebp+122D2FE6h], edx 0x00000013 push 00000000h 0x00000015 mov di, 41C1h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FCCD0C2CFD8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 push eax 0x0000003a pop eax 0x0000003b pop edi 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99DC9 second address: A99DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E1A1 second address: A9E1E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCCD0C2CFE4h 0x0000000f jno 00007FCCD0C2CFD6h 0x00000015 popad 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E1E3 second address: A9E20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FCCD0C7C4BFh 0x0000000d jmp 00007FCCD0C7C4BDh 0x00000012 js 00007FCCD0C7C4B6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E20E second address: A9E22A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCCD0C2CFD6h 0x00000009 jmp 00007FCCD0C2CFDDh 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B7B6 second address: A9B7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E22A second address: A9E230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9CED3 second address: A9CED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B7BC second address: A9B7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9CED7 second address: A9CEDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57CBB second address: A57CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9CEDD second address: A9CEE7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCCD0C7C4BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57CBF second address: A57CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F25C second address: A9F266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FCC0 second address: A9FCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F07A second address: A9F08E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C7C4C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FCC8 second address: A9FD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FCCD0C2CFD8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 je 00007FCCD0C2CFE4h 0x00000029 pushad 0x0000002a mov esi, dword ptr [ebp+122D39B8h] 0x00000030 sub dword ptr [ebp+1247858Eh], esi 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FCCD0C2CFD8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D1F7Eh], eax 0x00000059 push 00000000h 0x0000005b mov edi, dword ptr [ebp+122D3910h] 0x00000061 xchg eax, ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 jnp 00007FCCD0C2CFDCh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FD43 second address: A9FD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FD47 second address: A9FD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0399 second address: AA039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2402 second address: AA245F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCCD0C2CFDCh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FCCD0C2CFD8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D1D85h] 0x0000002f mov ebx, 1B361469h 0x00000034 push 00000000h 0x00000036 movzx edi, bx 0x00000039 push 00000000h 0x0000003b jmp 00007FCCD0C2CFDDh 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 js 00007FCCD0C2CFD6h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA245F second address: AA2469 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCCD0C7C4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA36F7 second address: AA3702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA46B4 second address: AA46BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3702 second address: AA3706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA555C second address: AA55CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCCD0C7C4C8h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, ecx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FCCD0C7C4B8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov dword ptr [ebp+124785FFh], edx 0x00000030 push 00000000h 0x00000032 call 00007FCCD0C7C4C3h 0x00000037 pop ebx 0x00000038 pushad 0x00000039 mov ecx, dword ptr [ebp+124528F6h] 0x0000003f mov ecx, ebx 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push eax 0x00000047 pop eax 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA762D second address: AA7641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFDFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA7641 second address: AA7663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FCCD0C7C4B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB8C7 second address: AAB8DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB8DF second address: AAB8F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCD0C7C4BFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB8F3 second address: AAB960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FCCD0C2CFD8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007FCCD0C2CFE3h 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D2D21h] 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D2465h] 0x00000039 pushad 0x0000003a pushad 0x0000003b mov eax, dword ptr [ebp+122D3BC0h] 0x00000041 push ecx 0x00000042 pop ebx 0x00000043 popad 0x00000044 or dword ptr [ebp+12450794h], ebx 0x0000004a popad 0x0000004b xchg eax, esi 0x0000004c jbe 00007FCCD0C2CFE8h 0x00000052 push eax 0x00000053 push edx 0x00000054 jo 00007FCCD0C2CFD6h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB960 second address: AAB964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB964 second address: AAB970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB970 second address: AAB975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB975 second address: AAB97F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FCCD0C2CFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0094 second address: AB0098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0098 second address: AB009E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB009E second address: AB00C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCD0C7C4BCh 0x00000008 jne 00007FCCD0C7C4B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCCD0C7C4BEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB10CC second address: AB10D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCCD0C2CFD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1F95 second address: AB1F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1F99 second address: AB2020 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FCCD0C2CFDCh 0x0000000e jp 00007FCCD0C2CFECh 0x00000014 popad 0x00000015 nop 0x00000016 jne 00007FCCD0C2CFD9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FCCD0C2CFD8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 sub ebx, dword ptr [ebp+122D1C95h] 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007FCCD0C2CFD8h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2020 second address: AB202E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCCD0C7C4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2FDF second address: AB3052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+122D1DA9h], ebx 0x00000013 call 00007FCCD0C2CFE5h 0x00000018 mov dword ptr [ebp+122D31ECh], edi 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 mov ebx, dword ptr [ebp+122D3B00h] 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FCCD0C2CFD8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 push eax 0x00000044 pushad 0x00000045 pushad 0x00000046 jmp 00007FCCD0C2CFDCh 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e push edi 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAA7B second address: AAAB0D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCCD0C7C4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov bx, di 0x0000000e push dword ptr fs:[00000000h] 0x00000015 add edi, dword ptr [ebp+122D3B44h] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007FCCD0C7C4B8h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov eax, dword ptr [ebp+122D0505h] 0x00000042 mov dword ptr [ebp+122D1DC9h], eax 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007FCCD0C7C4B8h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 clc 0x00000065 mov dword ptr [ebp+122D3285h], ebx 0x0000006b nop 0x0000006c push ebx 0x0000006d jmp 00007FCCD0C7C4BFh 0x00000072 pop ebx 0x00000073 push eax 0x00000074 push ebx 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABAE1 second address: AABB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 jmp 00007FCCD0C2CFE1h 0x0000000b push dword ptr fs:[00000000h] 0x00000012 call 00007FCCD0C2CFE1h 0x00000017 or ebx, dword ptr [ebp+122D3BDCh] 0x0000001d pop edi 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 sub dword ptr [ebp+122D37EAh], edi 0x0000002b mov eax, dword ptr [ebp+122D12F5h] 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007FCCD0C2CFD8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b mov dword ptr [ebp+12478346h], ecx 0x00000051 push FFFFFFFFh 0x00000053 add bh, 00000071h 0x00000056 nop 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b pop edi 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABB58 second address: AABB61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABB61 second address: AABB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADB17 second address: AADBAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FCCD0C7C4BCh 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FCCD0C7C4B8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b or ebx, dword ptr [ebp+122D2EBAh] 0x00000031 push dword ptr fs:[00000000h] 0x00000038 mov bx, CA74h 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 jnp 00007FCCD0C7C4B6h 0x00000049 mov eax, dword ptr [ebp+122D01B1h] 0x0000004f cmc 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push edi 0x00000055 call 00007FCCD0C7C4B8h 0x0000005a pop edi 0x0000005b mov dword ptr [esp+04h], edi 0x0000005f add dword ptr [esp+04h], 00000019h 0x00000067 inc edi 0x00000068 push edi 0x00000069 ret 0x0000006a pop edi 0x0000006b ret 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jl 00007FCCD0C7C4B8h 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0270 second address: AB0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0275 second address: AB02F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCD0C7C4BAh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 je 00007FCCD0C7C4C4h 0x00000016 pushad 0x00000017 sub dword ptr [ebp+1246F27Bh], ebx 0x0000001d xor edx, 0A58D985h 0x00000023 popad 0x00000024 push dword ptr fs:[00000000h] 0x0000002b pushad 0x0000002c mov edx, esi 0x0000002e mov si, cx 0x00000031 popad 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 stc 0x0000003a mov eax, dword ptr [ebp+122D1419h] 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007FCCD0C7C4B8h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a mov dword ptr [ebp+122D2C43h], eax 0x00000060 push ecx 0x00000061 mov di, ax 0x00000064 pop edi 0x00000065 push FFFFFFFFh 0x00000067 jp 00007FCCD0C7C4BAh 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push edi 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB02F6 second address: AB02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB02FB second address: AB0309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C7C4BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0309 second address: AB030D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB124B second address: AB1256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCCD0C7C4B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1256 second address: AB12F1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCCD0C2CFD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr [ebp+12452911h], ecx 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007FCCD0C2CFD8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b pushad 0x0000003c pushad 0x0000003d sub dword ptr [ebp+12450794h], esi 0x00000043 jc 00007FCCD0C2CFD6h 0x00000049 popad 0x0000004a mov ebx, dword ptr [ebp+122D3A48h] 0x00000050 popad 0x00000051 mov eax, dword ptr [ebp+122D1331h] 0x00000057 or dword ptr [ebp+122D1D08h], eax 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push ebp 0x00000062 call 00007FCCD0C2CFD8h 0x00000067 pop ebp 0x00000068 mov dword ptr [esp+04h], ebp 0x0000006c add dword ptr [esp+04h], 0000001Ah 0x00000074 inc ebp 0x00000075 push ebp 0x00000076 ret 0x00000077 pop ebp 0x00000078 ret 0x00000079 and bl, FFFFFFB4h 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f push edx 0x00000080 jmp 00007FCCD0C2CFDDh 0x00000085 pop edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2218 second address: AB221E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB221E second address: AB2222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2222 second address: AB2231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2231 second address: AB2237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2237 second address: AB223B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3215 second address: AB3226 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3671 second address: AC3675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2DF2 second address: AC2E08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2E08 second address: AC2E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FCCD0C7C4C4h 0x0000000c jmp 00007FCCD0C7C4BEh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2E28 second address: AC2E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC312F second address: AC3135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3135 second address: AC3139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB426 second address: ACB42C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB42C second address: ACB432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E7CE second address: A5E7DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD16CB second address: AD16D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1C4F second address: AD1C6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FCCD0C7C4B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 je 00007FCCD0C7C4B6h 0x00000016 pushad 0x00000017 popad 0x00000018 jnl 00007FCCD0C7C4B6h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1F15 second address: AD1F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFDAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1F24 second address: AD1F3C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007FCCD0C7C4BBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1F3C second address: AD1F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1F41 second address: AD1F4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCCD0C7C4B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD863E second address: AD8672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FCCD0C2CFE5h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 js 00007FCCD0C2CFD6h 0x0000001a pop edi 0x0000001b pushad 0x0000001c jl 00007FCCD0C2CFD6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8672 second address: AD867B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD946 second address: ADD94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD94A second address: ADD964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD964 second address: ADD971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD971 second address: ADD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A967FE second address: A96816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C2CFE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96CE7 second address: A96CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96CEC second address: A96CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96CF2 second address: A96CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96F2D second address: A96F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96F32 second address: A96F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCD0C7C4BDh 0x00000008 je 00007FCCD0C7C4B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9711D second address: A97137 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b mov dword ptr [ebp+122D23E2h], ebx 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97210 second address: A97214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97214 second address: A9721D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9737F second address: A97390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4BCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97B4D second address: A97BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FCCD0C2CFDCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 adc dx, 1A8Dh 0x00000015 je 00007FCCD0C2CFE2h 0x0000001b jmp 00007FCCD0C2CFDCh 0x00000020 lea eax, dword ptr [ebp+1247C5ABh] 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FCCD0C2CFD8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov edx, dword ptr [ebp+122D307Ch] 0x00000046 nop 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a je 00007FCCD0C2CFD6h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97BB4 second address: A97BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCCD0C7C4B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCB8D second address: ADCB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCE50 second address: ADCE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCE5A second address: ADCE60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD243 second address: ADD24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADD24D second address: ADD253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1BC7 second address: AE1BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1BD0 second address: AE1BE2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FCCD0C2CFDCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1D57 second address: AE1D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C5h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1D73 second address: AE1D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE212D second address: AE2131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2131 second address: AE2147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCCD0C2CFDCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2147 second address: AE214D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE214D second address: AE2155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2155 second address: AE2159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE258F second address: AE2593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2593 second address: AE25AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE29A2 second address: AE29B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C2CFDDh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE29B5 second address: AE29B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE29B9 second address: AE29BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2EA4 second address: AE2EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCD0C7C4BBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2EB4 second address: AE2EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2EBA second address: AE2EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2EC3 second address: AE2ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCCD0C2CFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE18A6 second address: AE18C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FCCD0C7C4B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE18C7 second address: AE1901 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCCD0C2CFD6h 0x00000008 jmp 00007FCCD0C2CFE9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCCD0C2CFE4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1901 second address: AE1907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE76CF second address: AE76D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE809C second address: AE80A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE80A0 second address: AE80CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FCCD0C2CFDBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE80CA second address: AE80CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF010C second address: AF0117 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007FCCD0C2CFD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B8D second address: A52B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B97 second address: A52BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FCCD0C2CFD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 jng 00007FCCD0C2CFD6h 0x00000016 pop edi 0x00000017 push eax 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5AB5 second address: AF5ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5ABB second address: AF5ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCCD0C2CFE5h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5ADD second address: AF5AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5AE1 second address: AF5AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5AE7 second address: AF5AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5F67 second address: AF5F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5F6B second address: AF5F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jc 00007FCCD0C7C4B6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5F8D second address: AF5F92 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5F92 second address: AF5FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCCD0C7C4B6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FCCD0C7C4B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF60EB second address: AF60F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF60F1 second address: AF6101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C7C4BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9764A second address: A9765A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFDBh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9765A second address: A97664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97664 second address: A976A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FCCD0C2CFD8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+1247C5A6h] 0x00000029 movzx ecx, di 0x0000002c add eax, ebx 0x0000002e mov edi, eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jg 00007FCCD0C2CFD6h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A976A3 second address: A976DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FCCD0C7C4B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov di, cx 0x00000027 push 00000004h 0x00000029 pushad 0x0000002a push edi 0x0000002b cmc 0x0000002c pop eax 0x0000002d mov ebx, edx 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push edx 0x00000035 pop edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF63B3 second address: AF63BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF63BD second address: AF63C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF63C3 second address: AF63CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF63CE second address: AF63FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FCCD0C7C4B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007FCCD0C7C4C3h 0x00000014 pop edi 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF703E second address: AF7046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7046 second address: AF707B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FCCD0C7C4C1h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCCD0C7C4C3h 0x00000015 js 00007FCCD0C7C4B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A0F second address: AF8A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A17 second address: AF8A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8A1D second address: AF8A23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFBA50 second address: AFBA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB24F second address: AFB25A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB25A second address: AFB262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB262 second address: AFB276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007FCCD0C2CFD6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFF80B second address: AFF80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEB55 second address: AFEB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jc 00007FCCD0C2CFD6h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCCD0C2CFE2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEB76 second address: AFEB80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFEB80 second address: AFEB84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B075A7 second address: B075AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05969 second address: B0596D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06486 second address: B064C9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCCD0C7C4CDh 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FCCD0C7C4BEh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCCD0C7C4BBh 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B064C9 second address: B064DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFDEh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06ADA second address: B06ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06ADE second address: B06AF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007FCCD0C2CFD6h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06FEC second address: B06FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F6F2 second address: B0F6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EAC5 second address: B0EACA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EACA second address: B0EAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCCD0C2CFE7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EAE8 second address: B0EAFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C7C4C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EEDC second address: B0EF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFE0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCCD0C2CFDBh 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FCCD0C2CFD6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EF06 second address: B0EF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EF0A second address: B0EF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EF10 second address: B0EF1A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCCD0C7C4BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F18F second address: B0F1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C2CFDEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F2A1 second address: B0F2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F403 second address: B0F432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCCD0C2CFDFh 0x00000010 je 00007FCCD0C2CFDCh 0x00000016 jc 00007FCCD0C2CFD6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F432 second address: B0F440 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FCCD0C7C4B6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F440 second address: B0F444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16E73 second address: B16EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4BDh 0x00000009 jmp 00007FCCD0C7C4C4h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FCCD0C7C4C6h 0x00000015 jno 00007FCCD0C7C4B6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15777 second address: B1577D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15909 second address: B15913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCCD0C7C4B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15913 second address: B15919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16430 second address: B16487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FCCD0C7C4B6h 0x00000011 popad 0x00000012 push ecx 0x00000013 jmp 00007FCCD0C7C4C4h 0x00000018 pop ecx 0x00000019 popad 0x0000001a pushad 0x0000001b jg 00007FCCD0C7C4C6h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FCCD0C7C4BEh 0x00000028 jbe 00007FCCD0C7C4BEh 0x0000002e pushad 0x0000002f jns 00007FCCD0C7C4B6h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F25D second address: B1F277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCD0C2CFE2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F277 second address: B1F2A4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCCD0C7C4B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FCCD0C7C4D0h 0x00000010 jmp 00007FCCD0C7C4C8h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AE3D second address: B2AE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCCD0C2CFDCh 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FCCD0C2CFDDh 0x00000014 pop ecx 0x00000015 jmp 00007FCCD0C2CFDBh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DD92 second address: B2DD9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DAA3 second address: B2DAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DAAB second address: B2DABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jns 00007FCCD0C7C4B6h 0x0000000c pop edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B356DD second address: B356E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3433A second address: B34341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34341 second address: B34349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34349 second address: B3434D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B344C4 second address: B344F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFE7h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jmp 00007FCCD0C2CFDEh 0x00000011 popad 0x00000012 push esi 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E374 second address: B3E384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007FCCD0C7C4B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4417B second address: B4418B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4418B second address: B44191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44191 second address: B44196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44629 second address: B4465B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4C9h 0x00000009 popad 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FCCD0C7C4B6h 0x00000014 jmp 00007FCCD0C7C4BAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4465B second address: B4465F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4465F second address: B44669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44669 second address: B44673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCCD0C2CFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44931 second address: B4494A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FCCD0C7C4C0h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4494A second address: B4494E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4494E second address: B44952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44AB1 second address: B44AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F01 second address: B46F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F07 second address: B46F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F13 second address: B46F19 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F19 second address: B46F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCD0C2CFE1h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46F30 second address: B46F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61AE4 second address: B61AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61AE8 second address: B61B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCCD0C7C4BEh 0x0000000f jmp 00007FCCD0C7C4C8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61B18 second address: B61B36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCD0C2CFE8h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B649CB second address: B649D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B649D1 second address: B649DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B649DA second address: B649EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C7C4BDh 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B649EF second address: B64A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCCD0C2CFE7h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FCCD0C2CFD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64A13 second address: B64A50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jne 00007FCCD0C7C4B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007FCCD0C7C4B6h 0x00000017 jmp 00007FCCD0C7C4C3h 0x0000001c popad 0x0000001d pushad 0x0000001e jo 00007FCCD0C7C4B6h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 popad 0x00000027 jp 00007FCCD0C7C4BCh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6457F second address: B64584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64584 second address: B64590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FCCD0C7C4B6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64590 second address: B645B4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCCD0C2CFD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FCCD0C2CFE5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BECB second address: B6BED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C83F second address: B6C856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCD0C2CFDFh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C856 second address: B6C8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FCCD0C7C4CFh 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FCCD0C7C4BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCCD0C7C4C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C8A0 second address: B6C8A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FF2F second address: B6FF33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FF33 second address: B6FF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E54 second address: B70E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E59 second address: B70E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E5F second address: B70E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E63 second address: B70E6D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCCD0C2CFD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E6D second address: B70E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70E77 second address: B70E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A989 second address: A9A98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AB5D second address: A9AB67 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCCD0C2CFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AB67 second address: A9AB83 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCCD0C7C4B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jns 00007FCCD0C7C4B6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A8E352 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8EDC91 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B21C58 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8F0A51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5370000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5530000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 7530000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A69199 rdtsc 0_2_00A69199
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7AF36 sidt fword ptr [esp-02h]0_2_00A7AF36
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6968Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A69199 rdtsc 0_2_00A69199
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB7DE LdrInitializeThunk,0_2_008EB7DE
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABD382 GetSystemTime,GetFileTime,0_2_00ABD382

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		271
Virtualization/Sandbox Evasion		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		1
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe47%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1563925
Start date and time:2024-11-27 16:30:40 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.482804309089373
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'748'416 bytes
MD5:5c6793c38e495450cfaad82f97cdb333
SHA1:82450ddb586697958df0b3d1a034592a52f0de02
SHA256:68773dedc7b901d281897c8a79eeb4af1f56c307b8bf735485df770832c451ff
SHA512:010806a5a53a8d4817715fa73be284f8f38666429b544cd0cbaf4a7b76ab4a0884279d0ef8f9742b29b40c42e4ab8edfc3e3c99198be11dd55e35c71581854f4
SSDEEP:49152:vtHJIOxCG8EFfZ27WYCDK5AxhZ5+z9q65a:v5JIOYGrZ27KD2zba
TLSH:E5D53B527505B2CFE48E27789427CD82696E42F9872048DBBD6C74BE7DA3CC121F6CA4
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`*.. ...`....@.. ........................*.......*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6a6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCCD0DC19AAh
bswap esi
sub dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FCCD0DC39A5h
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x120057f895f399dc34c522cfda6d88c6d215False0.9331597222222222data7.79004401594624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zkteabrp0xa0000x29a0000x299000597cb51235c15c4a0c6d89162f002c14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
oljfpuhd0x2a40000x20000x4009b881fc8460b7e2e36ac76cd37d37888False0.78515625data6.118431224978517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2a60000x40000x220046061ccdcecd2b8685eae7089d3da61dFalse0.06169577205882353DOS executable (COM)0.7484941170073209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:10:31:38
Start date:27/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x8e0000
File size:2'748'416 bytes
MD5 hash:5C6793C38E495450CFAAD82F97CDB333
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.9%
    Dynamic/Decrypted Code Coverage:4.2%
    Signature Coverage:2.1%
    Total number of Nodes:285
    Total number of Limit Nodes:12
    execution_graph 8431 abaa6d 8434 aba8ad 8431->8434 8436 aba8b9 8434->8436 8437 aba8ce 8436->8437 8439 aba8ec 8437->8439 8440 aba8fb 8437->8440 8442 aba908 8440->8442 8443 aba91e 8442->8443 8452 aba926 8443->8452 8457 ab9235 GetCurrentThreadId 8443->8457 8445 aba9f3 8479 aba733 8445->8479 8446 abaa06 8449 abaa10 LoadLibraryExW 8446->8449 8450 abaa24 LoadLibraryExA 8446->8450 8456 aba9ca 8449->8456 8450->8456 8452->8445 8452->8446 8454 aba987 8463 aba273 8454->8463 8458 ab924d 8457->8458 8459 ab9947 8458->8459 8460 ab9958 8459->8460 8461 ab9995 8459->8461 8460->8461 8483 ab97e8 8460->8483 8461->8452 8461->8454 8464 aba299 8463->8464 8465 aba28f 8463->8465 8503 ab9ac6 8464->8503 8465->8456 8472 aba2e9 8473 aba316 8472->8473 8478 aba34e 8472->8478 8513 ab9ca4 8472->8513 8517 ab9f3f 8473->8517 8476 aba321 8476->8478 8522 ab9eb6 8476->8522 8478->8465 8526 abaa85 8478->8526 8480 aba73e 8479->8480 8481 aba75f LoadLibraryExA 8480->8481 8482 aba74e 8480->8482 8481->8482 8482->8456 8484 ab9815 8483->8484 8485 ab985e 8484->8485 8486 ab9843 PathAddExtensionA 8484->8486 8494 ab991b 8484->8494 8491 ab9880 8485->8491 8495 ab9489 8485->8495 8486->8485 8488 ab98c9 8490 ab9489 lstrcmpiA 8488->8490 8492 ab98f2 8488->8492 8488->8494 8489 ab9489 lstrcmpiA 8489->8488 8490->8492 8491->8488 8491->8489 8491->8494 8493 ab9489 lstrcmpiA 8492->8493 8492->8494 8493->8494 8494->8460 8497 ab94a7 8495->8497 8496 ab94be 8496->8491 8497->8496 8499 ab9406 8497->8499 8500 ab9431 8499->8500 8501 ab9463 lstrcmpiA 8500->8501 8502 ab9479 8500->8502 8501->8502 8502->8496 8504 ab9ae2 8503->8504 8506 ab9b3b 8503->8506 8505 ab9b12 VirtualAlloc 8504->8505 8504->8506 8505->8506 8506->8465 8507 ab9b6c VirtualAlloc 8506->8507 8508 ab9bb1 8507->8508 8508->8478 8509 ab9be9 8508->8509 8512 ab9c11 8509->8512 8510 ab9c88 8510->8472 8511 ab9c2a VirtualAlloc 8511->8510 8511->8512 8512->8510 8512->8511 8514 ab9cc4 8513->8514 8516 ab9cbf 8513->8516 8515 ab9cf7 lstrcmpiA 8514->8515 8514->8516 8515->8514 8515->8516 8516->8473 8518 aba04b 8517->8518 8520 ab9f6c 8517->8520 8518->8476 8520->8518 8528 ab9a51 8520->8528 8536 abab62 8520->8536 8523 ab9edf 8522->8523 8524 ab9f20 8523->8524 8525 ab9ef7 VirtualProtect 8523->8525 8524->8478 8525->8523 8525->8524 8564 abaa91 8526->8564 8538 aba894 8528->8538 8530 ab9aaa 8530->8520 8531 ab9a64 8531->8530 8532 ab9ab6 8531->8532 8534 ab9a8d 8531->8534 8533 abaa85 2 API calls 8532->8533 8533->8530 8534->8530 8535 abaa85 2 API calls 8534->8535 8535->8530 8541 abab6b 8536->8541 8539 aba8fb 15 API calls 8538->8539 8540 aba8a9 8539->8540 8540->8531 8542 abab7a 8541->8542 8544 ab9235 GetCurrentThreadId 8542->8544 8546 abab82 8542->8546 8543 ababaf GetProcAddress 8549 ababa5 8543->8549 8545 abab8c 8544->8545 8545->8546 8547 abab9c 8545->8547 8546->8543 8550 aba5c3 8547->8550 8551 aba6af 8550->8551 8552 aba5e2 8550->8552 8551->8549 8552->8551 8553 aba61f lstrcmpiA 8552->8553 8554 aba649 8552->8554 8553->8552 8553->8554 8554->8551 8556 aba50c 8554->8556 8558 aba51d 8556->8558 8557 aba5a8 8557->8551 8558->8557 8559 aba54d lstrcpyn 8558->8559 8559->8557 8561 aba569 8559->8561 8560 ab9a51 14 API calls 8562 aba597 8560->8562 8561->8557 8561->8560 8562->8557 8563 abab62 14 API calls 8562->8563 8563->8557 8565 abaaa0 8564->8565 8567 ab9235 GetCurrentThreadId 8565->8567 8570 abaaa8 8565->8570 8566 abaaf6 FreeLibrary 8572 abaadd 8566->8572 8568 abaab2 8567->8568 8569 abaac2 8568->8569 8568->8570 8573 aba473 8569->8573 8570->8566 8574 aba496 8573->8574 8575 aba4d6 8573->8575 8574->8575 8577 ab902f 8574->8577 8575->8572 8578 ab9038 8577->8578 8579 ab9050 8578->8579 8581 ab9016 8578->8581 8579->8575 8582 abaa85 GetCurrentThreadId FreeLibrary 8581->8582 8583 ab9023 8582->8583 8583->8578 8584 abda6c 8586 abda78 8584->8586 8587 ab9235 GetCurrentThreadId 8586->8587 8588 abda84 8587->8588 8590 abdaa4 8588->8590 8591 abd978 8588->8591 8593 abd984 8591->8593 8594 abd998 8593->8594 8595 ab9235 GetCurrentThreadId 8594->8595 8596 abd9b0 8595->8596 8597 abd9c5 8596->8597 8617 abd891 8596->8617 8601 abd9cd 8597->8601 8609 abd936 IsBadWritePtr 8597->8609 8603 abda1e CreateFileW 8601->8603 8604 abda41 CreateFileA 8601->8604 8602 ab9947 2 API calls 8605 abda00 8602->8605 8608 abda0e 8603->8608 8604->8608 8605->8601 8606 abda08 8605->8606 8611 abb18b 8606->8611 8610 abd958 8609->8610 8610->8601 8610->8602 8613 abb198 8611->8613 8612 abb1d1 CreateFileA 8615 abb21d 8612->8615 8613->8612 8614 abb293 8613->8614 8614->8608 8615->8614 8619 abb04e CloseHandle 8615->8619 8621 abd8a0 GetWindowsDirectoryA 8617->8621 8620 abb062 8619->8620 8620->8614 8622 abd8ca 8621->8622 8719 abaa4c 8720 aba894 15 API calls 8719->8720 8721 abaa5f 8720->8721 8623 53b10f0 8624 53b1131 8623->8624 8627 abbf89 8624->8627 8625 53b1151 8628 ab9235 GetCurrentThreadId 8627->8628 8629 abbf95 8628->8629 8630 abbfbe 8629->8630 8631 abbfae 8629->8631 8633 abbfc3 CloseHandle 8630->8633 8635 abb075 8631->8635 8634 abbfb4 8633->8634 8634->8625 8638 ab90e0 8635->8638 8639 ab90f6 8638->8639 8640 ab9110 8639->8640 8642 ab90c4 8639->8642 8640->8634 8643 abb04e CloseHandle 8642->8643 8644 ab90d4 8643->8644 8644->8640 8722 53b1510 8723 53b1558 ControlService 8722->8723 8724 53b158f 8723->8724 8645 a73f6a 8646 a74240 8645->8646 8647 a75036 RegOpenKeyA 8646->8647 8648 a7500f RegOpenKeyA 8646->8648 8650 a75053 8647->8650 8648->8647 8649 a7502c 8648->8649 8649->8647 8651 a75097 GetNativeSystemInfo 8650->8651 8652 a750a2 8650->8652 8651->8652 8725 abd805 8727 abd811 8725->8727 8728 ab9235 GetCurrentThreadId 8727->8728 8729 abd81d 8728->8729 8731 abd83d 8729->8731 8732 abd75c 8729->8732 8734 abd768 8732->8734 8735 abd77c 8734->8735 8736 ab9235 GetCurrentThreadId 8735->8736 8737 abd794 8736->8737 8745 ab9999 8737->8745 8740 ab9947 2 API calls 8742 abd7b7 8740->8742 8741 abd7bf 8742->8741 8743 abd7db GetFileAttributesW 8742->8743 8744 abd7ec GetFileAttributesA 8742->8744 8743->8741 8744->8741 8746 ab9a4d 8745->8746 8747 ab99ad 8745->8747 8746->8740 8746->8741 8747->8746 8748 ab97e8 2 API calls 8747->8748 8748->8747 8653 abada4 8655 abadb0 8653->8655 8656 abadc4 8655->8656 8658 abadec 8656->8658 8659 abae05 8656->8659 8661 abae0e 8659->8661 8662 abae1d 8661->8662 8663 abae25 8662->8663 8664 ab9235 GetCurrentThreadId 8662->8664 8665 abaec8 GetModuleHandleW 8663->8665 8666 abaed6 GetModuleHandleA 8663->8666 8667 abae2f 8664->8667 8670 abae5d 8665->8670 8666->8670 8668 abae4a 8667->8668 8669 ab9947 2 API calls 8667->8669 8668->8663 8668->8670 8669->8668 8671 8eb7de 8672 8eb7e3 8671->8672 8673 8eb94e LdrInitializeThunk 8672->8673 8749 53b1308 8750 53b1349 ImpersonateLoggedOnUser 8749->8750 8751 53b1376 8750->8751 8752 53b0d48 8753 53b0d93 OpenSCManagerW 8752->8753 8755 53b0ddc 8753->8755 8674 abdb7f 8676 abdb88 8674->8676 8677 ab9235 GetCurrentThreadId 8676->8677 8678 abdb94 8677->8678 8679 abdbad 8678->8679 8680 abdbe4 ReadFile 8678->8680 8680->8679 8681 a69172 8686 a69199 8681->8686 8684 a69190 CreateFileA 8685 a691cc 8684->8685 8687 a691a6 CreateFileA 8686->8687 8689 a691cc 8687->8689 8756 abe35e 8758 abe36a 8756->8758 8760 abe382 8758->8760 8761 abe3ac 8760->8761 8762 abe298 8760->8762 8764 abe2a4 8762->8764 8765 ab9235 GetCurrentThreadId 8764->8765 8766 abe2b7 8765->8766 8767 abe330 8766->8767 8768 abe2f5 8766->8768 8769 abe2d1 8766->8769 8770 abe335 CreateFileMappingA 8767->8770 8768->8769 8772 abb96f 8768->8772 8770->8769 8774 abb986 8772->8774 8773 abb9ef CreateFileA 8776 abba34 8773->8776 8774->8773 8775 abba83 8774->8775 8775->8769 8776->8775 8777 abb04e CloseHandle 8776->8777 8777->8775 8778 8eeaf8 8779 8ef49a VirtualAlloc 8778->8779 8781 8ef628 8779->8781 8690 abe4bc 8691 ab9235 GetCurrentThreadId 8690->8691 8692 abe4c8 8691->8692 8693 abe530 MapViewOfFileEx 8692->8693 8694 abe4e1 8692->8694 8693->8694 8782 8ee5f6 8783 8ee69c VirtualAlloc 8782->8783 8695 abd2f0 8696 ab9235 GetCurrentThreadId 8695->8696 8697 abd2fc GetCurrentProcess 8696->8697 8698 abd348 8697->8698 8700 abd30c 8697->8700 8699 abd34d DuplicateHandle 8698->8699 8703 abd343 8699->8703 8700->8698 8701 abd337 8700->8701 8704 abb08d 8701->8704 8705 abb0b7 8704->8705 8706 abb14a 8705->8706 8707 abb075 CloseHandle 8705->8707 8706->8703 8707->8706 8708 abaef7 8709 ab9235 GetCurrentThreadId 8708->8709 8710 abaf03 8709->8710 8711 abaf21 8710->8711 8712 ab9947 2 API calls 8710->8712 8713 abaf52 GetModuleHandleExA 8711->8713 8714 abaf29 8711->8714 8712->8711 8713->8714 8715 a66d38 LoadLibraryA 8716 a66d4b 8715->8716

    Executed Functions

    Function 00A69199 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00A691C2
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 2da5b91ef5723f947264e4cec83d624f1a2cfe41daf773b3d61b5690356ae385
    • Instruction ID: 1e282c4df123ec4d79697ce0209e67dcb9e14690d997cbed27001665a84a12c6
    • Opcode Fuzzy Hash: 2da5b91ef5723f947264e4cec83d624f1a2cfe41daf773b3d61b5690356ae385
    • Instruction Fuzzy Hash: 80D05EF34882127DF14263A51D1DABB663DDB93330B31C96AF844E6182F5F40D450134
    Function 008EB7DE Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 5d0991801efce1edc8d8c14c88b74afa666e9686c8ad6ca84df1d82c6b19ae51
    • Instruction ID: b673fe5a2adb55e06908e0340af31d7cc176b48b19fc24f78f057deaf1d2b542
    • Opcode Fuzzy Hash: 5d0991801efce1edc8d8c14c88b74afa666e9686c8ad6ca84df1d82c6b19ae51
    • Instruction Fuzzy Hash: F2E086711044C59ACB17BF25880175B3B09FF42700F900125FA41DAA86DB2D0C118756
    Function 00ABA908 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00ABAA19
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00ABAA2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 6075d357e13e69aaa6f95b7db5a40a04632aec620b50dc9033eb10fe3ea37556
    • Instruction ID: 8afdccc4b100a4f051b4a190f7794fe8b1034cf1cccd732788da02c216959210
    • Opcode Fuzzy Hash: 6075d357e13e69aaa6f95b7db5a40a04632aec620b50dc9033eb10fe3ea37556
    • Instruction Fuzzy Hash: A2318031904105FFCF25AF50DA05AEE7BBDFF28350F11411AF90696163C73199A0EBA2
    Function 00ABAE0E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 abae0e-abae1f call aba772 40 abae2a-abae33 call ab9235 37->40 41 abae25 37->41 48 abae39-abae45 call ab9947 40->48 49 abae67-abae6e 40->49 42 abaebe-abaec2 41->42 44 abaec8-abaed1 GetModuleHandleW 42->44 45 abaed6-abaed9 GetModuleHandleA 42->45 47 abaedf 44->47 45->47 51 abaee9-abaeeb 47->51 55 abae4a-abae4c 48->55 52 abaeb9 call ab92e0 49->52 53 abae74-abae7b 49->53 52->42 53->52 56 abae81-abae88 53->56 55->52 58 abae52-abae57 55->58 56->52 57 abae8e-abae95 56->57 57->52 59 abae9b-abaeaf 57->59 58->52 60 abae5d-abaee4 call ab92e0 58->60 59->52 60->51
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00ABADA0,?,00000000,00000000), ref: 00ABAECB
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00ABADA0,?,00000000,00000000), ref: 00ABAED9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: e579c4f8fb0eb354a3ea857f6cd5140dd6f400524b22355a8fe2ae3a655fbeed
    • Instruction ID: c8a9efa40d59ed836d8de66eb35d0d8966a959a6ce4bf6b311f94dfb05bb58f4
    • Opcode Fuzzy Hash: e579c4f8fb0eb354a3ea857f6cd5140dd6f400524b22355a8fe2ae3a655fbeed
    • Instruction Fuzzy Hash: 6D11273224462AFADF309F14C94DBEE76BCBF24345F40422AA505854A2C7B6D9E4DA93
    Function 00ABD768 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 abd768-abd776 65 abd788 64->65 66 abd77c-abd783 64->66 67 abd78f-abd7a5 call ab9235 call ab9999 65->67 66->67 72 abd7ab-abd7b9 call ab9947 67->72 73 abd7c4 67->73 79 abd7bf 72->79 80 abd7d0-abd7d5 72->80 74 abd7c8-abd7cb 73->74 76 abd7fb-abd802 call ab92e0 74->76 79->74 81 abd7db-abd7e7 GetFileAttributesW 80->81 82 abd7ec-abd7ef GetFileAttributesA 80->82 84 abd7f5-abd7f6 81->84 82->84 84->76
    APIs
    • GetFileAttributesW.KERNELBASE(015FE482,-119E5FEC), ref: 00ABD7E1
    • GetFileAttributesA.KERNEL32(00000000,-119E5FEC), ref: 00ABD7EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 14b5fdd5b5320f254d5a841c74739aa18e3839295b191e0d0c7a0e5afc33ca12
    • Instruction ID: f365de8ef0af0646f88eaf176662d216726596c5db1531dfc2079d8262d4936d
    • Opcode Fuzzy Hash: 14b5fdd5b5320f254d5a841c74739aa18e3839295b191e0d0c7a0e5afc33ca12
    • Instruction Fuzzy Hash: CC0169B0A04205FAEF35AF54CA49BEDBFBCBF05344F204065E106650A3EBB45AD1EB80
    Function 00A73F6A Relevance: 4.6, APIs: 3, Instructions: 131registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 a73f6a-a7500d 90 a75036-a75051 RegOpenKeyA 85->90 91 a7500f-a7502a RegOpenKeyA 85->91 93 a75053-a7505d 90->93 94 a75069-a75095 90->94 91->90 92 a7502c 91->92 92->90 93->94 97 a75097-a750a0 GetNativeSystemInfo 94->97 98 a750a2-a750ac 94->98 97->98 99 a750ae 98->99 100 a750b8-a750c6 98->100 99->100 102 a750d2-a750d9 100->102 103 a750c8 100->103 104 a750df-a750e6 102->104 105 a750ec 102->105 103->102 104->105 106 a75f32-a75f39 104->106 105->106 107 a75f3f-a75f45 106->107 108 a774ce-a778ed 106->108 107->108
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,91B30C49,91B3098B), ref: 00A75022
    • RegOpenKeyA.ADVAPI32(80000002,91B3076C,91B3098B), ref: 00A75049
    • GetNativeSystemInfo.KERNELBASE(91B30B8B), ref: 00A750A0
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 05751ca6d2c52a59d9057e51fb6bbc09d2dfe9144b558038c6cf0043e7563ab1
    • Instruction ID: 80eb190bb4f941d8c3d192835b558b04f76c93f81aeba30d5871336c2f555e47
    • Opcode Fuzzy Hash: 05751ca6d2c52a59d9057e51fb6bbc09d2dfe9144b558038c6cf0043e7563ab1
    • Instruction Fuzzy Hash: 9D5185B280810EDFEB14DF24CC446AE77E4EF14311F11842EED8582A40EB764CA4DF5A
    Function 008EEAF8 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 44memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 8eeaf8-8ef61c VirtualAlloc 116 8ef628-8ef92f 112->116 119 8ef934 116->119 119->119
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 008EF616
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: O~|w$O~|w
    • API String ID: 4275171209-2275773036
    • Opcode ID: a83193d5a2d60b8d8969f725f59912e128ecf889c62efb47cf501eba955e4b48
    • Instruction ID: 3bb357e21b8f22131f7fb9adc0f3a79162a1fb8413f9a12628f785b75629c7fd
    • Opcode Fuzzy Hash: a83193d5a2d60b8d8969f725f59912e128ecf889c62efb47cf501eba955e4b48
    • Instruction Fuzzy Hash: 680126B350854C8FE700BF79984856EBBE4FB48320F220A2EE9C1D3741DA315C10CB96
    Function 00AB97E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 120 ab97e8-ab9818 122 ab981e-ab9833 120->122 123 ab9943-ab9944 120->123 122->123 125 ab9839-ab983d 122->125 126 ab985f-ab9866 125->126 127 ab9843-ab9855 PathAddExtensionA 125->127 128 ab9888-ab988f 126->128 129 ab986c-ab987b call ab9489 126->129 130 ab985e 127->130 132 ab98d1-ab98d8 128->132 133 ab9895-ab989c 128->133 136 ab9880-ab9882 129->136 130->126 134 ab98fa-ab9901 132->134 135 ab98de-ab98f4 call ab9489 132->135 137 ab98a2-ab98ab 133->137 138 ab98b5-ab98c4 call ab9489 133->138 141 ab9923-ab992a 134->141 142 ab9907-ab991d call ab9489 134->142 135->123 135->134 136->123 136->128 137->138 143 ab98b1 137->143 144 ab98c9-ab98cb 138->144 141->123 147 ab9930-ab993d call ab94c2 141->147 142->123 142->141 143->138 144->123 144->132 147->123
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00AB984A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: bf1d2605ba73fdaef59fc7b17219cc185424e063c0eac4078e527531da9b42bc
    • Instruction ID: 34e1436efc094251faaf7802eca6a8da9ea9f656f53e32ca730728ddc750e2a3
    • Opcode Fuzzy Hash: bf1d2605ba73fdaef59fc7b17219cc185424e063c0eac4078e527531da9b42bc
    • Instruction Fuzzy Hash: 4E313936A00209BFDF329FA4CA09BDFBB7AFF48750F040155FA00A5162D7769A61DB91
    Function 00ABAEF7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 151 abaef7-abaf0a call ab9235 154 abaf4d-abaf61 call ab92e0 GetModuleHandleExA 151->154 155 abaf10-abaf1c call ab9947 151->155 160 abaf6b-abaf6d 154->160 159 abaf21-abaf23 155->159 159->154 161 abaf29-abaf30 159->161 162 abaf39-abaf66 call ab92e0 161->162 163 abaf36 161->163 162->160 163->162
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00ABAF5B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 2b8fd0683f6e5724cfee7affe72d29f615b724990d4334f8edb61a6cdf712688
    • Instruction ID: 1cbbab630274f0b1d2d87122796635125e704a7252e264b65cfe57381b6351bb
    • Opcode Fuzzy Hash: 2b8fd0683f6e5724cfee7affe72d29f615b724990d4334f8edb61a6cdf712688
    • Instruction Fuzzy Hash: 3DF01DB1604205BFDF149F64C985BEE3BADFF29350F108115FA1986153C731D551EA52
    Function 00ABD984 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 166 abd984-abd992 167 abd998-abd99f 166->167 168 abd9a4 166->168 169 abd9ab-abd9b7 call ab9235 167->169 168->169 172 abd9bd-abd9c7 call abd891 169->172 173 abd9d2-abd9e2 call abd936 169->173 172->173 178 abd9cd 172->178 179 abd9e8-abd9ef 173->179 180 abd9f4-abda02 call ab9947 173->180 181 abda13-abda18 178->181 179->181 180->181 187 abda08-abda09 call abb18b 180->187 183 abda1e-abda3c CreateFileW 181->183 184 abda41-abda56 CreateFileA 181->184 186 abda5c-abda5d 183->186 184->186 188 abda62-abda69 call ab92e0 186->188 191 abda0e 187->191 191->188
    APIs
    • CreateFileW.KERNELBASE(015FE482,?,?,-119E5FEC,?,?,?,-119E5FEC,?), ref: 00ABDA36
      • Part of subcall function 00ABD936: IsBadWritePtr.KERNEL32(?,00000004), ref: 00ABD944
    • CreateFileA.KERNEL32(?,?,?,-119E5FEC,?,?,?,-119E5FEC,?), ref: 00ABDA56
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: e1489287a589e51f84a6130e1b08baa4bbdb8ed6879cec9cd6fd2be4037445c0
    • Instruction ID: 1d53e99d1238a44bde9a0bbeb2757d1ddbe8a45e76529c83b4bb7c66ffbee1a3
    • Opcode Fuzzy Hash: e1489287a589e51f84a6130e1b08baa4bbdb8ed6879cec9cd6fd2be4037445c0
    • Instruction Fuzzy Hash: 50113A3150414AFBDF22AF90CD05BDE7F79BF09344F104119F905654A2E37689B1EB51
    Function 00ABD2F0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 193 abd2f0-abd306 call ab9235 GetCurrentProcess 196 abd348-abd36a call ab92e0 DuplicateHandle 193->196 197 abd30c-abd30f 193->197 203 abd374-abd376 196->203 197->196 199 abd315-abd318 197->199 199->196 200 abd31e-abd331 call ab908f 199->200 200->196 205 abd337-abd36f call abb08d call ab92e0 200->205 205->203
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • GetCurrentProcess.KERNEL32(-119E5FEC), ref: 00ABD2FD
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABD363
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 8cfcb92d169ecffee9d3db7722a5e2316da4d4eb4f10faeac8a73afb1b063fef
    • Instruction ID: bf394a47ba7d8fe0cb3ecd25cce02d4564e136558b65be8f3fc4c0a8522ecfdd
    • Opcode Fuzzy Hash: 8cfcb92d169ecffee9d3db7722a5e2316da4d4eb4f10faeac8a73afb1b063fef
    • Instruction Fuzzy Hash: CD01FB3220014AFB8F22AFA4CD49CEE3F7DBF99350B004215FA0599013D735D462EB62
    Function 00A66D38 Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 210 a66d38-a66d3a LoadLibraryA 211 a66d4b-a66e7e 210->211 215 a66e7f 211->215 215->215
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 3a6bfce75586b34c95e8eb26cb4cc28ef9438a510359dc93edf1fb0e8f33de68
    • Instruction ID: c861d6735c142e1387f89033ac485f78f7b526987cf41f61f82a05c347c21124
    • Opcode Fuzzy Hash: 3a6bfce75586b34c95e8eb26cb4cc28ef9438a510359dc93edf1fb0e8f33de68
    • Instruction Fuzzy Hash: 993170F250C300AFE7166F09ED817BAFBE9EB84330F22482DE7C542650E6365844969B
    Function 00ABB96F Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 216 abb96f-abb980 217 abb9af-abb9b8 call ab9313 216->217 218 abb986-abb99a call ab9313 216->218 222 abb9be-abb9cf call abb151 217->222 223 abba95-abba98 call ab9338 217->223 228 abba9d 218->228 229 abb9a0-abb9ae 218->229 231 abb9ef-abba2e CreateFileA 222->231 232 abb9d5-abb9d9 222->232 223->228 233 abbaa4-abbaa8 228->233 229->217 237 abba52-abba55 231->237 238 abba34-abba51 231->238 235 abb9df-abb9eb 232->235 236 abb9ec 232->236 235->236 236->231 239 abba5b-abba72 call ab9055 237->239 240 abba88-abba90 call abafe0 237->240 238->237 239->233 247 abba78-abba83 call abb04e 239->247 240->228 247->228
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00ABBA24
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f0366c4d04b79f6fb4e9c8a132b9c54ca4cca37a49104bba690cbce86cf42002
    • Instruction ID: 702c92154349fce5c544bd268556a8a2c586be9898312f9853ae3b9f8abf00b1
    • Opcode Fuzzy Hash: f0366c4d04b79f6fb4e9c8a132b9c54ca4cca37a49104bba690cbce86cf42002
    • Instruction Fuzzy Hash: 8E315071A10204BFEB209F54DD45FDEBBBCFB08314F10816AF614AA192C7B199919B60
    Function 00A66E84 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 250 a66e84-a66e8d LoadLibraryA 251 a66e93-a66e99 250->251 252 a66e9f-a66fb1 250->252 251->252
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 432625e21bd16644cd37579fe3e770de7448e135a27dbf705f72b4aa8a34b625
    • Instruction ID: 767f0bbd63a96dabf6e6da6c5e87b5603efb4880b92063b7fd0696e09f050c17
    • Opcode Fuzzy Hash: 432625e21bd16644cd37579fe3e770de7448e135a27dbf705f72b4aa8a34b625
    • Instruction Fuzzy Hash: 373134B250C610AFD3026F59D8816BEFBF8FF5A320F16092DEAC493610D77658908B97
    Function 00ABB18B Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 254 abb18b-abb19a call ab9313 257 abb2a0 254->257 258 abb1a0-abb1b1 call abb151 254->258 260 abb2a7-abb2ab 257->260 262 abb1d1-abb217 CreateFileA 258->262 263 abb1b7-abb1bb 258->263 266 abb21d-abb23e 262->266 267 abb262-abb265 262->267 264 abb1ce 263->264 265 abb1c1-abb1cd 263->265 264->262 265->264 266->267 275 abb244-abb261 266->275 268 abb26b-abb282 call ab9055 267->268 269 abb298-abb29b call abafe0 267->269 268->260 276 abb288-abb293 call abb04e 268->276 269->257 275->267 276->257
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00ABB20D
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e04d3926d65f25b99575e3f7a664d9cc7a0f5503dcd91935d0cb20c79c30d756
    • Instruction ID: 9d02481d22b7b09028d116217d5fd450860050b0a939f0436290cad487de9e48
    • Opcode Fuzzy Hash: e04d3926d65f25b99575e3f7a664d9cc7a0f5503dcd91935d0cb20c79c30d756
    • Instruction Fuzzy Hash: 73318F71650204BEEB309F64DC46FDEB7BCEB09724F208269F614AA1D2C7B1A5918B64
    Function 053B0D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 280 53b0d42-53b0d97 283 53b0d99-53b0d9c 280->283 284 53b0d9f-53b0da3 280->284 283->284 285 53b0dab-53b0dda OpenSCManagerW 284->285 286 53b0da5-53b0da8 284->286 287 53b0ddc-53b0de2 285->287 288 53b0de3-53b0df7 285->288 286->285 287->288
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 053B0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 9c49896a06418bac45dc9893049920f328d2ed8100e35d3790ab23ef702a1804
    • Instruction ID: 36283a75162041b728d071d78310b7c3ca3c811265bb0e01a1880f788432e030
    • Opcode Fuzzy Hash: 9c49896a06418bac45dc9893049920f328d2ed8100e35d3790ab23ef702a1804
    • Instruction Fuzzy Hash: 512134B6C002099FDB54CF99D884BDEFBB4FF88720F14861AD909AB244D774A940CBA4
    Function 053B0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 290 53b0d48-53b0d97 292 53b0d99-53b0d9c 290->292 293 53b0d9f-53b0da3 290->293 292->293 294 53b0dab-53b0dda OpenSCManagerW 293->294 295 53b0da5-53b0da8 293->295 296 53b0ddc-53b0de2 294->296 297 53b0de3-53b0df7 294->297 295->294 296->297
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 053B0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 40992018b72944bc37e641702239cd142e569aad0eb42a30a0aa766ab47a8bdb
    • Instruction ID: e330de27be4115c941ea8ff4ac6a3477b4b248714db549806bcbbc2522e0139e
    • Opcode Fuzzy Hash: 40992018b72944bc37e641702239cd142e569aad0eb42a30a0aa766ab47a8bdb
    • Instruction Fuzzy Hash: B82132B6C002099FDB54CF99D884ADEFBB4FB88720F14861AD909AB244D774A940CBA4
    Function 053B1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 053B1580
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: ae214fadfbefda54a8af3f204869628b106513c43fb48f497340409550b1c704
    • Instruction ID: 7878d7597f1446ae2f1a500ac9b0e9ffa323760f17ff57e83d0a4aee4705b3ae
    • Opcode Fuzzy Hash: ae214fadfbefda54a8af3f204869628b106513c43fb48f497340409550b1c704
    • Instruction Fuzzy Hash: F811D3B5904249DFDB10CF9AC584BDEFBF4EB48320F10842AE559A3650D778AA44CFA5
    Function 053B1509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 053B1580
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 61f92e2434a30d11ffca5ee0339c270e9b082d0f3e6e8c1a9131cb6b575b42c6
    • Instruction ID: f88c4e31dc9fb5738f6460f7956683de2dd8de795bba7a74f68f88ade1cd3739
    • Opcode Fuzzy Hash: 61f92e2434a30d11ffca5ee0339c270e9b082d0f3e6e8c1a9131cb6b575b42c6
    • Instruction Fuzzy Hash: 111103B6D00249CFDB10CF9AC584BDEBBF4AF48320F10842AD519A3650D378AA44CFA1
    Function 00ABE4BC Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-119E5FEC), ref: 00ABE543
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 6bf64f68eff26121c9c77ee8cd3306cc8a4dd20bab5f998343362de2e4153e53
    • Instruction ID: 389df6a8f2c0001292873516a8e35dbc7f8ba7a87ace227cc0e663955131f6ee
    • Opcode Fuzzy Hash: 6bf64f68eff26121c9c77ee8cd3306cc8a4dd20bab5f998343362de2e4153e53
    • Instruction Fuzzy Hash: A0119D7250010AEFCF22AFA4DD0ADEA3B6EAF59344B008615FA0655022D736C5B2EB61
    Function 00ABE2A4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 6771f9e9d9cb220907932ec198d6f940b55a21b626e80829dc24dc94e3493d31
    • Instruction ID: f9d96ffa132e9e3497c6a491ca2135c17c4b45ec4da8cd61b4814218452a699a
    • Opcode Fuzzy Hash: 6771f9e9d9cb220907932ec198d6f940b55a21b626e80829dc24dc94e3493d31
    • Instruction Fuzzy Hash: 74115B3250020AEFCF16EFA4C90AEDE3BBDAF44340F188415FA159A163C779C965EB61
    Function 053B1301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 053B1367
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: c53feace88b3ed5fa1ce235c670b1390b5a82a3bd6b70586b6e8f0b6bd67ecdc
    • Instruction ID: cad7c89fae768fa4785a282ecd5ce2b485596d4abbb7dba27375264c2f299374
    • Opcode Fuzzy Hash: c53feace88b3ed5fa1ce235c670b1390b5a82a3bd6b70586b6e8f0b6bd67ecdc
    • Instruction Fuzzy Hash: A71143B1800249CFDB10CF9AC884BDEBBF4EF48720F10842AD518A3650D778A940CFA1
    Function 053B1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 053B1367
    Memory Dump Source
    • Source File: 00000000.00000002.2496377945.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53b0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 7638dc44650bb82d28f5f8bca8ee2cfb21f49845c99e897fee272afbbac4ad14
    • Instruction ID: 7f92a90825075edaa7df0a57ca89396ab56b26de6aab0b3ed9f72fbc34b8abf2
    • Opcode Fuzzy Hash: 7638dc44650bb82d28f5f8bca8ee2cfb21f49845c99e897fee272afbbac4ad14
    • Instruction Fuzzy Hash: C11133B1804249CFDB10CF9AC944BEEFBF8EF48720F10846AD518A3650D778A984CFA5
    Function 00ABDB88 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-119E5FEC,?,?,00ABB8B7,?,?,00000400,?,00000000,?,00000000), ref: 00ABDBF4
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: f597faceda809ecaf7efa65d9c750ea9ea2deec9bfdb2a4017a21e1e4179460d
    • Instruction ID: 71e3d4f3b9f4fcbdfcc09712919039119727882f05a8f7e52be6b44641e0e624
    • Opcode Fuzzy Hash: f597faceda809ecaf7efa65d9c750ea9ea2deec9bfdb2a4017a21e1e4179460d
    • Instruction Fuzzy Hash: 11F0C93220414AFBCF126FA8C909EDE3F6EFF4A344F054121F60559022D772D4A1EB61
    Function 00A69172 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 47d6156d56e94ca10ebfef302bf36ead724ff041d1aef644792655884287e80e
    • Instruction ID: d9ac2d08407e3db304ae2ddeb917fe230ae6a7614dac5f6fb5c3831970070012
    • Opcode Fuzzy Hash: 47d6156d56e94ca10ebfef302bf36ead724ff041d1aef644792655884287e80e
    • Instruction Fuzzy Hash: 4FF0E5F20842472EE202ABB58A1DAAF7B3CDB43230B3186AEF804D7542E2B55D450265
    Function 00AB9406 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 7cf83a482cae412b21e09941299e00a1149f97e6fb69b4d422e46ba867c595e3
    • Instruction ID: 1cf583f1e4656f8adc56b56724fb8aef34c203fd98ad4d3fcad3223ecff5d357
    • Opcode Fuzzy Hash: 7cf83a482cae412b21e09941299e00a1149f97e6fb69b4d422e46ba867c595e3
    • Instruction Fuzzy Hash: 4301E831A00509BFDF219FA5CC45DDEBF7AEF88340F0041A5E914A4061E7338A62DF61
    Function 00ABBF89 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • CloseHandle.KERNELBASE(00ABB94C,-119E5FEC,?,?,00ABB94C,?), ref: 00ABBFC7
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: ab3d122641e255d577ee71282675d7c7eaf3f8da5a9960212fb35f02d533aca0
    • Instruction ID: 2e74c6fdc2f7849b3160a0e202284c232976bf510db16c6e644fd6612ae6af1c
    • Opcode Fuzzy Hash: ab3d122641e255d577ee71282675d7c7eaf3f8da5a9960212fb35f02d533aca0
    • Instruction Fuzzy Hash: 29E04F72604446BACE207B78CE0ADEF6E2DAFD5394F000122B60595053DB71C0A2D675
    Function 008EE5F6 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 008EF5FB
    Memory Dump Source
    • Source File: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 627b9c75245bd26d6e4c245b80c6b476b9fb637e167445e35b3ec40192b2b2d5
    • Instruction ID: 3bcbf81f0a4b82827504dfebd3604f74282f995e4c22c376aa5d32fc6cb69dd2
    • Opcode Fuzzy Hash: 627b9c75245bd26d6e4c245b80c6b476b9fb637e167445e35b3ec40192b2b2d5
    • Instruction Fuzzy Hash: C4E092B122C689CADB40AF3581856AABBF4FB21305F11082A9DC1CA151D2315860DB46
    Function 00ABB04E Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00AB90D4,?,?), ref: 00ABB054
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: fb6e3f1408ded3a7b081bbed3e8ea6bdd966a1d73d92c654251bf3f43cbacb31
    • Instruction ID: b03b51de82ff1ea681542db6d7ca05cb345d1bc32cb379ac96313707e15d0d2b
    • Opcode Fuzzy Hash: fb6e3f1408ded3a7b081bbed3e8ea6bdd966a1d73d92c654251bf3f43cbacb31
    • Instruction Fuzzy Hash: CAB09231100109BBCF11BF65DD06C8DBF6DFF2A3A8B008121F905480228B72EA60ABE2

    Non-executed Functions

    Function 00ABD382 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
    • GetSystemTime.KERNEL32(?,-119E5FEC), ref: 00ABD3B7
    • GetFileTime.KERNEL32(?,?,?,?,-119E5FEC), ref: 00ABD3FA
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 45411ce9d9314b3c5443a859ce87bc792b5af0027139d09e73190713da02186c
    • Instruction ID: 566d8aa0e53568ac2329308b0d11c11f2c4b6e0cbaf232de98aebfd13eba1783
    • Opcode Fuzzy Hash: 45411ce9d9314b3c5443a859ce87bc792b5af0027139d09e73190713da02186c
    • Instruction Fuzzy Hash: 6901163220404AFBCF215F29D908EDEBF79FF86310B104622F50695062DB7298A2DB61
    Function 00ABE240 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00ABE287
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 0776b10c77703c4a92cc5f150af499954ffa1b9f25270d252b5d95b869d5c12c
    • Instruction ID: d56cd6cee2a4be1a8448426dd6fa849b2502239ae99893a8ddc85e66891bdb77
    • Opcode Fuzzy Hash: 0776b10c77703c4a92cc5f150af499954ffa1b9f25270d252b5d95b869d5c12c
    • Instruction Fuzzy Hash: 4EF0F83260020AFFCF01CFA4D904ACC7BB5FF09345B108125F91596121D375DA61EF44
    Function 00A66B86 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID: e6?
    • API String ID: 0-1619617767
    • Opcode ID: f4c8b34ee272c6f6cd36e06f315bb58a8b6ee5585dbf96c81f771a14761473e9
    • Instruction ID: d6ac2eee97e54aa4fdce47d16189aad3fb5c378eed5f481e3bc02ebbc3328bf2
    • Opcode Fuzzy Hash: f4c8b34ee272c6f6cd36e06f315bb58a8b6ee5585dbf96c81f771a14761473e9
    • Instruction Fuzzy Hash: E65181B250D7809FD702AF28C8916AAFFF4FF56300F0A89AED2C48B651D6359454CB93
    Function 00A66C03 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID: e6?
    • API String ID: 0-1619617767
    • Opcode ID: ae6a4f73102f6a5aa2d4d9ea75f8ce6a012e458ed8de68b321fb89c74446f2fa
    • Instruction ID: f5d818547035c8022d1f3aec5bb0ddca8527e0ae510c8c22b7e7927a1def9b1d
    • Opcode Fuzzy Hash: ae6a4f73102f6a5aa2d4d9ea75f8ce6a012e458ed8de68b321fb89c74446f2fa
    • Instruction Fuzzy Hash: C541C2B250D740AFD702AF28C8916AABFF4FF96300F0A896EE2C487651D6359444CB93
    Function 00A6AE0B Relevance: .1, Instructions: 145COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: afcc5f24777a63b8b4754618790d4c4dd98d3751254f909f9193fbde9eff2374
    • Instruction ID: ffe0b4589999635b79cf7b9339c647e82eb291abac485a79591e20d76df785a0
    • Opcode Fuzzy Hash: afcc5f24777a63b8b4754618790d4c4dd98d3751254f909f9193fbde9eff2374
    • Instruction Fuzzy Hash: A751986294D3C29FD7138B7498B1695BFB0AE6B31030D86DBC1D0CF5A3D318984AEB52
    Function 00A6AE8D Relevance: .1, Instructions: 120COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c0c8cc428684a6e525f8d988a02a138659b38bac897581741861c202c8ee077
    • Instruction ID: 61b4fef88b7f2c72f386db6b9fe5766569faeb8b3967ddf2603a110895d46ebf
    • Opcode Fuzzy Hash: 7c0c8cc428684a6e525f8d988a02a138659b38bac897581741861c202c8ee077
    • Instruction Fuzzy Hash: F941536250D7D29FC713CB7498A1295BFB0BE5B30030D86DBC1D18B5A3D718944AEB62
    Function 00A7AF36 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 518d54c0f68786b8a03b6b5f39f13bc386c7cfba9b6075858dc99cca09098494
    • Instruction ID: 8ce704dedd3ba217ebe4c9f6c7dd27b49bf5ba79610e678fb1ad6b6ffdb2ad86
    • Opcode Fuzzy Hash: 518d54c0f68786b8a03b6b5f39f13bc386c7cfba9b6075858dc99cca09098494
    • Instruction Fuzzy Hash: 81E04676104101AADB00AF54C85999FFBF8FF59321F21D84AF888CB726C2358D41CB2A
    Function 00ABC8B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00AB9235: GetCurrentThreadId.KERNEL32 ref: 00AB9244
      • Part of subcall function 00ABD936: IsBadWritePtr.KERNEL32(?,00000004), ref: 00ABD944
    • wsprintfA.USER32 ref: 00ABC8FE
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00ABC9C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: ac9334d048c000a3c38dd187774b892c8f68cf379309f75c9d220af714ca2a65
    • Instruction ID: 1cb7ef8af8b5f48c67aebf3af2d1e4f3d9507af8929165bc8bf77f5154ae678e
    • Opcode Fuzzy Hash: ac9334d048c000a3c38dd187774b892c8f68cf379309f75c9d220af714ca2a65
    • Instruction Fuzzy Hash: C8312A31A0010AFFDF119F94DD09EEEBB79FF88710F108126F511A6161D7319A61DB51
    Function 00ABD489 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(015FE482,00004020,00000000,-119E5FEC), ref: 00ABD576
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2487576745.0000000000AB4000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
    • Associated: 00000000.00000002.2485849792.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485880190.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485906301.00000000008E6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485928471.00000000008EA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2485980156.00000000008F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486206833.0000000000A48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486268814.0000000000A4B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A64000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486301241.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486457579.0000000000A78000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486484547.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2486572587.0000000000A83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487410286.0000000000A88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487467205.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487485679.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487506502.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487529651.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487557135.0000000000AA8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487597224.0000000000ABF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487615723.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487630195.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487647151.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487662801.0000000000AD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487676736.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487692646.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487712061.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487727142.0000000000AE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487741601.0000000000AE9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487757763.0000000000AF8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487779992.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487798941.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487814360.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487828458.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487874157.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487890073.0000000000B07000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487905134.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487919447.0000000000B0D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487932952.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487946273.0000000000B0F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487966851.0000000000B10000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487980683.0000000000B11000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2487999466.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488016389.0000000000B28000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488029857.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488042199.0000000000B2A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488077878.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488105336.0000000000B76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488182340.0000000000B84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2488195614.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8e0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: c9eecb362e628c79d3d560e77c05709a8e1b74ce5a26f61c3af9b514ec4faf50
    • Instruction ID: 8c0e3cb6f363df8a7eb920b1ec9451c77bbe0d938ee3a1863725ba8e920e940d
    • Opcode Fuzzy Hash: c9eecb362e628c79d3d560e77c05709a8e1b74ce5a26f61c3af9b514ec4faf50
    • Instruction Fuzzy Hash: 23318DB1904305EFCF258F44C844BDABBB8FF08314F10861AE55967262D375A6A5CB90