Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1564520
MD5:2b03b480ec8647afe04d151fcb12ee99
SHA1:a1c3a8992aefbdc1b98275419e2971cdf306ecbb
SHA256:1641d8934363108f30946bdd68dbed807afa8a16c11b0908857ac6ae7015313e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 936 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2B03B480EC8647AFE04D151FCB12EE99)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1AEB CryptVerifySignatureA,0_2_00AE1AEB
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2154941325.0000000004B40000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A861160_2_00A86116
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090D1400_2_0090D140
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009155390_2_00915539
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009159F10_2_009159F1
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00ADCAE0 appears 35 times
Source: file.exe, 00000000.00000002.2290365147.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2142129623.0000000000906000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E415D0 ChangeServiceConfigA,0_2_04E415D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2778624 > 1048576
Source: file.exeStatic PE information: Raw size of ovmsqngl is bigger than: 0x100000 < 0x2a0600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2154941325.0000000004B40000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.900000.0.unpack :EW;.rsrc:W;.idata :W;ovmsqngl:EW;gzdrleae:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b3832 should be: 0x2af2a5
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ovmsqngl
Source: file.exeStatic PE information: section name: gzdrleae
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A028 push edx; mov dword ptr [esp], 6D37323Dh0_2_00A8A04C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A028 push edi; mov dword ptr [esp], 6BAFA100h0_2_00A8A078
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A028 push edx; mov dword ptr [esp], edi0_2_00A8A0B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A028 push 42B110FDh; mov dword ptr [esp], edi0_2_00A8A158
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090E438 push 219C93C5h; mov dword ptr [esp], ebp0_2_0090E44B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A96D08 push ecx; mov dword ptr [esp], esi0_2_00A96FC1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A96D08 push edi; mov dword ptr [esp], eax0_2_00A96FC5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89E92 push ebp; mov dword ptr [esp], 2F38F8AAh0_2_00A89F33
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89E92 push ebx; mov dword ptr [esp], esi0_2_00A89F4F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89E92 push ebx; mov dword ptr [esp], 6CEFB7BAh0_2_00A89F63
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A89E92 push ecx; mov dword ptr [esp], edx0_2_00A89FEC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009120B9 push 0588CCD5h; mov dword ptr [esp], edx0_2_00912CBD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8609A push ebp; mov dword ptr [esp], 08778507h0_2_00A860F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9A09F push 5B46E3DAh; mov dword ptr [esp], esi0_2_00A9A0B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A960F9 push 6EC61692h; mov dword ptr [esp], eax0_2_00A9662E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A87022 push ecx; mov dword ptr [esp], 5CEEDCA1h0_2_00A8702C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A03D push edx; mov dword ptr [esp], 6D37323Dh0_2_00A8A04C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A03D push edi; mov dword ptr [esp], 6BAFA100h0_2_00A8A078
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A03D push edx; mov dword ptr [esp], edi0_2_00A8A0B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A03D push 42B110FDh; mov dword ptr [esp], edi0_2_00A8A158
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8E03D push ebp; mov dword ptr [esp], edi0_2_00A8E03E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8E03D push eax; mov dword ptr [esp], esi0_2_00A8E04F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A86000 push 1F0ED76Dh; mov dword ptr [esp], edi0_2_00A86029
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A86000 push ebp; mov dword ptr [esp], 08778507h0_2_00A860F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8B011 push 091F55DEh; mov dword ptr [esp], edi0_2_00A8B0B1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911057 push 44C5BD57h; mov dword ptr [esp], ebp0_2_00911067
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9607B push 33C33270h; mov dword ptr [esp], edx0_2_00A9635C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5104D push 0356481Fh; mov dword ptr [esp], eax0_2_00B510E4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911180 push ecx; mov dword ptr [esp], 3F5780E8h0_2_0091118D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090C187 push edi; mov dword ptr [esp], esi0_2_0090C193
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A99188 push ebx; mov dword ptr [esp], edi0_2_00A99189
Source: file.exeStatic PE information: section name: entropy: 7.748930454036839

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E2F3 second address: 90E306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F20A116E946h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F20A116E946h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E306 second address: 90E30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A78FD1 second address: A78FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89D2A second address: A89D44 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F20A0D41650h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89D44 second address: A89D4E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A116E94Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89E9E second address: A89EC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89EC1 second address: A89F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F20A116E957h 0x0000000b jmp 00007F20A116E950h 0x00000010 popad 0x00000011 jmp 00007F20A116E958h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F20A116E94Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A19A second address: A8A1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F20A0D41646h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A463 second address: A8A471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A5CC second address: A8A5EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F20A0D41646h 0x00000008 jo 00007F20A0D41646h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F20A0D4164Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D48A second address: A8D490 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D490 second address: A8D49B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F20A0D41646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D49B second address: A8D4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F20A116E956h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F20A116E94Bh 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4CF second address: A8D4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4D3 second address: A8D4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4E7 second address: A8D4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4EB second address: A8D4EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D4EF second address: A8D511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20A0D41655h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D511 second address: A8D548 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20A116E948h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b lea ebx, dword ptr [ebp+124532F5h] 0x00000011 mov ecx, dword ptr [ebp+122D2CE5h] 0x00000017 xchg eax, ebx 0x00000018 jmp 00007F20A116E958h 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D5B1 second address: A8D618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F20A0D41648h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov ecx, 467233CAh 0x0000002a call 00007F20A0D41649h 0x0000002f pushad 0x00000030 jmp 00007F20A0D41655h 0x00000035 je 00007F20A0D41648h 0x0000003b push edx 0x0000003c pop edx 0x0000003d popad 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 jns 00007F20A0D41646h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D618 second address: A8D643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F20A116E958h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D643 second address: A8D66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b jmp 00007F20A0D41650h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007F20A0D41646h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D66A second address: A8D67F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D67F second address: A8D687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D743 second address: A8D754 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D754 second address: A8D7C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e jmp 00007F20A0D4164Eh 0x00000013 jmp 00007F20A0D41651h 0x00000018 push 00000000h 0x0000001a call 00007F20A0D4164Bh 0x0000001f mov di, C179h 0x00000023 pop ecx 0x00000024 mov edi, dword ptr [ebp+122D2351h] 0x0000002a push 7B969AC5h 0x0000002f pushad 0x00000030 jno 00007F20A0D4164Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F20A0D41654h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D7C1 second address: A8D82F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 7B969A45h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F20A116E948h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D226Ch], ebx 0x00000032 mov ecx, 7289DDFCh 0x00000037 push 00000003h 0x00000039 cld 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F20A116E948h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 movzx edi, dx 0x00000059 push 00000003h 0x0000005b mov esi, dword ptr [ebp+122D2D3Dh] 0x00000061 push E34554F4h 0x00000066 pushad 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F267 second address: A9F26B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F26B second address: A9F271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACFEA second address: AACFF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACFF0 second address: AACFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83260 second address: A83284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20A0D41646h 0x0000000a ja 00007F20A0D41646h 0x00000010 jmp 00007F20A0D4164Eh 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83252 second address: A83260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F20A116E976h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB4C6 second address: AAB4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB4CA second address: AAB4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20A116E94Fh 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB4E3 second address: AAB4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB4E7 second address: AAB4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB678 second address: AAB687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F20A0D41646h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB687 second address: AAB68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB7C7 second address: AAB7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB7CC second address: AAB7D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB7D1 second address: AAB807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D4164Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jmp 00007F20A0D41659h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB807 second address: AAB80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB80C second address: AAB811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB811 second address: AAB831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E956h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABC27 second address: AABC2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC1C8 second address: AAC1D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20A116E946h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC1D4 second address: AAC1EF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F20A0D41646h 0x00000008 js 00007F20A0D41646h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jbe 00007F20A0D41646h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC85F second address: AAC86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F20A116E946h 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC86D second address: AAC878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F20A0D41646h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC878 second address: AAC895 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F20A116E946h 0x00000009 jmp 00007F20A116E94Fh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC895 second address: AAC899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB346D second address: AB3472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3472 second address: AB348E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F20A0D41650h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB348E second address: AB3494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3494 second address: AB3498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB35D2 second address: AB35D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB35D6 second address: AB35FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20A0D41655h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F20A0D41646h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB35FD second address: AB3603 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3603 second address: AB360E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F20A0D41646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB360E second address: AB362E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F20A116E951h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB362E second address: AB3634 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB381E second address: AB3828 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3828 second address: AB382E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A759DB second address: A759DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9437 second address: AB9450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D41651h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88D2 second address: AB88D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88D8 second address: AB88EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D4164Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8A2C second address: AB8A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8A32 second address: AB8A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20A0D41646h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8FB3 second address: AB8FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8FB7 second address: AB8FF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41653h 0x00000007 jg 00007F20A0D41646h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F20A0D41658h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8FF1 second address: AB9001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20A116E94Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9001 second address: AB900B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A0D41652h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB92C0 second address: AB92FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F20A116E946h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 jmp 00007F20A116E955h 0x0000001d ja 00007F20A116E94Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9EF1 second address: AB9EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9EF7 second address: AB9EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9EFB second address: AB9F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA07F second address: ABA083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA083 second address: ABA092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA228 second address: ABA246 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20A116E953h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA246 second address: ABA251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F20A0D41646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA7F3 second address: ABA7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA8DA second address: ABA8EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABADD5 second address: ABADE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABADE6 second address: ABAE05 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f jnc 00007F20A0D41648h 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F20A0D4164Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB283 second address: ABB28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F20A116E946h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC6C0 second address: ABC6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20A0D41652h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDA57 second address: ABDA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDA5D second address: ABDA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDA69 second address: ABDA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F20A116E946h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDA86 second address: ABDA8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABEFB8 second address: ABEFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E951h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5F3A second address: AC5F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC80D3 second address: AC8100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20A116E958h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F20A116E94Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8100 second address: AC8165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007F20A0D41646h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F20A0D41648h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 movzx ebx, ax 0x0000002c push 00000000h 0x0000002e jmp 00007F20A0D41652h 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D23A6h], eax 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F20A0D41655h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD203 second address: ACD209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD209 second address: ACD21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20A0D41650h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2464 second address: AC2468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC60C6 second address: AC614E instructions: 0x00000000 rdtsc 0x00000002 js 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 12D088ACh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, dword ptr [ebp+122D2B21h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F20A0D41648h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D1749h] 0x00000047 push 00000000h 0x00000049 push edi 0x0000004a call 00007F20A0D41648h 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], edi 0x00000054 add dword ptr [esp+04h], 0000001Bh 0x0000005c inc edi 0x0000005d push edi 0x0000005e ret 0x0000005f pop edi 0x00000060 ret 0x00000061 mov dword ptr [ebp+122D3934h], esi 0x00000067 movzx edi, cx 0x0000006a push FFFFFFFFh 0x0000006c add ebx, dword ptr [ebp+122D2BC5h] 0x00000072 nop 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 push esi 0x00000078 pop esi 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9586 second address: AC959A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F20A116E94Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA600 second address: ACA605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2468 second address: AC2474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE2F0 second address: ACE302 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC614E second address: AC6154 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC959A second address: AC95A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA605 second address: ACA60F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F20A116E946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2474 second address: AC247E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE302 second address: ACE31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20A116E951h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD445 second address: ACD44B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6154 second address: AC615A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE31A second address: ACE31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC615A second address: AC615E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC615E second address: AC616C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC616C second address: AC6172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6172 second address: AC6177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC6177 second address: AC6181 instructions: 0x00000000 rdtsc 0x00000002 je 00007F20A116E94Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF1D1 second address: ACF1DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0191 second address: AD0197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0197 second address: AD019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD019B second address: AD0237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E957h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d jmp 00007F20A116E94Bh 0x00000012 pop ebx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F20A116E948h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e or edi, dword ptr [ebp+122D3952h] 0x00000034 jl 00007F20A116E94Bh 0x0000003a add bx, 441Dh 0x0000003f push 00000000h 0x00000041 jmp 00007F20A116E94Eh 0x00000046 call 00007F20A116E958h 0x0000004b mov di, 29F0h 0x0000004f pop ebx 0x00000050 push 00000000h 0x00000052 push esi 0x00000053 jne 00007F20A116E946h 0x00000059 pop ebx 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jno 00007F20A116E946h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0237 second address: AD023B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD023B second address: AD0241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD11F5 second address: AD11FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD144E second address: AD1452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD623E second address: AD6249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD68A0 second address: AD68BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A116E94Ch 0x00000008 jnl 00007F20A116E946h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F20A116E946h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A00 second address: AD6A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A07 second address: AD6A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A0E second address: AD6A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007F20A0D41654h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6A1F second address: AD6A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADAD95 second address: ADADAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20A0D4164Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADADAD second address: ADADB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE653D second address: AE6556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D41653h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6556 second address: AE6580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20A116E950h 0x0000000c jmp 00007F20A116E953h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6580 second address: AE6584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6703 second address: AE6734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E958h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F20A116E953h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6857 second address: AE685C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6987 second address: AE6997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20A116E94Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6997 second address: AE69A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE69A3 second address: AE69A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED111 second address: AED116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED1FD second address: AED207 instructions: 0x00000000 rdtsc 0x00000002 je 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED31D second address: AED323 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF487D second address: AF4883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4883 second address: AF4887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4887 second address: AF48B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F20A116E971h 0x00000010 jmp 00007F20A116E955h 0x00000015 pushad 0x00000016 js 00007F20A116E946h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF50DA second address: AF50E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF50E3 second address: AF50E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF50E9 second address: AF50F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20A0D41646h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF54DE second address: AF54E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8C5A second address: AF8C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41654h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F20A0D4164Dh 0x00000011 jmp 00007F20A0D4164Eh 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8C91 second address: AF8CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F20A116E946h 0x0000000a jmp 00007F20A116E950h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8CAB second address: AF8CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF8CAF second address: AF8CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F20A116E946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F20A116E946h 0x00000013 jmp 00007F20A116E958h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD102 second address: AFD129 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F20A0D4164Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F20A0D41657h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD129 second address: AFD12F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD298 second address: AFD29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDC6E second address: AFDC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDDC1 second address: AFDDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDDC6 second address: AFDDE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F20A116E946h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F20A116E952h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDDE8 second address: AFDDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCCDE second address: AFCCE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCCE8 second address: AFCCED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B014A3 second address: B014A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06678 second address: B06689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20A0D41646h 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06689 second address: B066A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B066A2 second address: B066B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D41652h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2D5A second address: AC2DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F20A116E955h 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D1F0Ah], ecx 0x00000016 lea eax, dword ptr [ebp+12488A91h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F20A116E948h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov dword ptr [ebp+122DB29Dh], ecx 0x0000003c push eax 0x0000003d pushad 0x0000003e jnc 00007F20A116E94Ch 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2DC6 second address: AA2431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D41656h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call dword ptr [ebp+122D2528h] 0x00000014 jmp 00007F20A0D41655h 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e je 00007F20A0D41646h 0x00000024 pop edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3348 second address: AC3379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F20A116E94Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 13CC2282h 0x00000013 pushad 0x00000014 movzx ecx, di 0x00000017 mov dword ptr [ebp+122D27BCh], edi 0x0000001d popad 0x0000001e call 00007F20A116E949h 0x00000023 push ebx 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3379 second address: AC33AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F20A0D41656h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F20A0D4164Bh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC33AB second address: AC33BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20A116E94Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC33BB second address: AC33DD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F20A0D41651h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC33DD second address: AC33E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC34F9 second address: AC350F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC35A1 second address: AC35FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20A116E951h 0x00000008 js 00007F20A116E946h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], esi 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F20A116E948h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e call 00007F20A116E94Bh 0x00000033 mov cl, bl 0x00000035 pop edi 0x00000036 sub dword ptr [ebp+122D1DF4h], eax 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC35FE second address: AC3603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3603 second address: AC3609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3CD6 second address: AC3CDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3DB9 second address: AC3DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20A116E951h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC403A second address: AC404B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F20A0D4164Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC404B second address: AC404F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3355 second address: AC3379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 13CC2282h 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 mov dword ptr [ebp+122D27BCh], edi 0x00000016 popad 0x00000017 call 00007F20A0D41649h 0x0000001c push ebx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B058D6 second address: B058F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20A116E958h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B058F5 second address: B058FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05C3B second address: B05C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05C40 second address: B05C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B060A3 second address: B060C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20A116E951h 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F20A116E946h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0621F second address: B0622B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F20A0D41646h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0622B second address: B06240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F20A116E946h 0x0000000c jo 00007F20A116E946h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06240 second address: B06274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20A0D4164Eh 0x00000008 jp 00007F20A0D41646h 0x0000000e jmp 00007F20A0D41653h 0x00000013 js 00007F20A0D41646h 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B602 second address: B0B632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F20A116E94Ah 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F20A116E94Fh 0x00000016 jnc 00007F20A116E946h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B632 second address: B0B638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B638 second address: B0B63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B63C second address: B0B640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B640 second address: B0B650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F20A116E946h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B650 second address: B0B656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B943 second address: B0B95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20A116E946h 0x0000000a jl 00007F20A116E946h 0x00000010 jnp 00007F20A116E946h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B394 second address: B0B398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EB1C second address: B0EB2E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F20A116E946h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EB2E second address: B0EB32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B115B8 second address: B115CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E952h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B115CE second address: B115EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20A0D41657h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11736 second address: B11744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F20A116E952h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11744 second address: B1174A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B151F9 second address: B15208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20A116E94Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15208 second address: B15241 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41653h 0x00000007 jmp 00007F20A0D41655h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F20A0D41646h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15241 second address: B15247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15640 second address: B1565B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jbe 00007F20A0D41646h 0x0000000c pushad 0x0000000d popad 0x0000000e ja 00007F20A0D41646h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1565B second address: B1566D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8164B second address: A8164F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8164F second address: A8166F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F20A116E946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jnp 00007F20A116E946h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F20A116E946h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8166F second address: A81673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81673 second address: A81677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A5E second address: B18A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F20A0D41655h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A7B second address: B18AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 jnc 00007F20A116E952h 0x0000000d popad 0x0000000e pushad 0x0000000f jnl 00007F20A116E94Ch 0x00000015 push edx 0x00000016 jng 00007F20A116E946h 0x0000001c pop edx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18D5D second address: B18D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18D63 second address: B18D6D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F20A116E946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19079 second address: B190C9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F20A0D41655h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F20A0D41659h 0x00000019 popad 0x0000001a jmp 00007F20A0D41652h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B190C9 second address: B190CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B190CF second address: B190D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1922D second address: B19259 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F20A116E952h 0x00000011 jmp 00007F20A116E94Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193B1 second address: B193BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F20A0D41646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B193BB second address: B193CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F20A116E946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1B9 second address: B1E1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1BF second address: B1E1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1C3 second address: B1E1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1C9 second address: B1E1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20A116E957h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1E8 second address: B1E1EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1EE second address: B1E1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1F2 second address: B1E215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jng 00007F20A0D41646h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3ABA second address: AC3B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E94Ch 0x00000009 popad 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F20A116E946h 0x00000013 pop ecx 0x00000014 pop edi 0x00000015 mov ebx, dword ptr [ebp+12488AD0h] 0x0000001b jnc 00007F20A116E94Ch 0x00000021 add eax, ebx 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F20A116E948h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov edi, dword ptr [ebp+122D2D11h] 0x00000043 sbb cl, 00000011h 0x00000046 nop 0x00000047 push eax 0x00000048 jmp 00007F20A116E956h 0x0000004d pop eax 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jl 00007F20A116E948h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EE64 second address: B1EE79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41650h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B285EF second address: B28601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F20A116E94Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2668D second address: B26692 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B267FC second address: B26816 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A116E952h 0x00000008 je 00007F20A116E946h 0x0000000e jnc 00007F20A116E946h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26955 second address: B2695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B26EFF second address: B26F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2716B second address: B27171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27171 second address: B27175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27427 second address: B27431 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27431 second address: B27436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27732 second address: B27743 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27743 second address: B27747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27747 second address: B2774D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2774D second address: B27752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27752 second address: B27767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F20A0D41646h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F20A0D41646h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27767 second address: B2776B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27A58 second address: B27A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B282F8 second address: B2830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E94Eh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2830F second address: B28315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28315 second address: B28326 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F20A116E948h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28326 second address: B2832B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30B81 second address: B30B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30CE7 second address: B30CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F20A0D41646h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30CF7 second address: B30CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30E35 second address: B30E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F20A0D41646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3141A second address: B3141E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3141E second address: B31429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39E3E second address: B39E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39E42 second address: B39E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39E53 second address: B39E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20A116E946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37F31 second address: B37F75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F20A0D4164Fh 0x0000000e popad 0x0000000f jmp 00007F20A0D41659h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 js 00007F20A0D41669h 0x0000001c ja 00007F20A0D4164Eh 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37F75 second address: B37F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B380DA second address: B380DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38382 second address: B38386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38386 second address: B3838A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3864D second address: B38673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E94Eh 0x00000007 push edx 0x00000008 jne 00007F20A116E946h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F20A116E94Ah 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38673 second address: B38686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20A0D4164Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38686 second address: B386A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E94Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F20A116E946h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38819 second address: B38823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F20A0D41646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38C6A second address: B38C74 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20A116E94Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38DC7 second address: B38DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F20A0D4164Ch 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38DDA second address: B38DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38DE0 second address: B38DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38DE9 second address: B38DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3939E second address: B393B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39C8F second address: B39C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39C93 second address: B39C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39C9C second address: B39CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F20A116E946h 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F20A116E952h 0x00000013 jnl 00007F20A116E946h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39CC9 second address: B39CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39CCD second address: B39CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37AA7 second address: B37ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F20A0D41656h 0x0000000e jno 00007F20A0D41646h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CF87 second address: B4CF8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CF8B second address: B4CF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F20A0D41646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CF9B second address: B4CF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CF9F second address: B4CFB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CFB3 second address: B4CFBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F20A116E946h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E05C second address: A7E075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007F20A0D41652h 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E075 second address: A7E099 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F20A116E95Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7E099 second address: A7E09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CBAA second address: B4CBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CBB0 second address: B4CBB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77504 second address: A7751F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A116E951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7751F second address: A77523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51279 second address: B5127D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AC85 second address: B5AC8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AC8A second address: B5ACC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007F20A116E959h 0x0000000b jmp 00007F20A116E953h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F20A116E958h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DFE4 second address: B5DFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DFEC second address: B5DFF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DFF0 second address: B5DFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5DFF6 second address: B5E00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F20A116E946h 0x0000000e jns 00007F20A116E946h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E00A second address: B5E00E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B648EE second address: B648F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B648F3 second address: B648F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B648F9 second address: B64903 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20A116E946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68F58 second address: B68F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70B07 second address: B70B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70B11 second address: B70B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D41657h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70B2E second address: B70B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F20A116E95Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70B55 second address: B70B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41654h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F20A0D41652h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F50F second address: B6F51F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F20A116E946h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F51F second address: B6F523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD2C second address: B6FD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E956h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD47 second address: B6FD5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F20A0D4164Ah 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD5F second address: B6FD65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD65 second address: B6FD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F20A0D4164Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73533 second address: B73539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73539 second address: B73543 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20A0D41646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73543 second address: B7354B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7354B second address: B7354F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8967C second address: B89680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89680 second address: B8969C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41658h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89490 second address: B89498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89498 second address: B894CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F20A0D4164Ah 0x0000000c jmp 00007F20A0D4164Dh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F20A0D41652h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8BF45 second address: B8BF68 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F20A116E958h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8BF68 second address: B8BF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F20A0D4164Ah 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C10F second address: B8C116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92F6C second address: B92F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D41657h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F20A0D41646h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B921C0 second address: B921C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9236B second address: B92396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A0D4164Fh 0x00000009 popad 0x0000000a jmp 00007F20A0D41657h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92396 second address: B9239C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9239C second address: B923A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F20A0D41646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B923A6 second address: B923AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B923AA second address: B923B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99E0B second address: B99E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DBF5 second address: B9DBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DBFA second address: B9DC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F20A116E946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9DCB0 second address: B9DCBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20A0D4164Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9FBC4 second address: B9FBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20A116E950h 0x00000009 jmp 00007F20A116E959h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F20A116E946h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9FBFC second address: B9FC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95D22 second address: B95D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007F20A116E946h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96EE5 second address: B96EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96EEF second address: B96EFC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20A116E946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ADADDA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 90DC11 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B42B24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 911AA1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6EC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8D5EF rdtsc 0_2_00A8D5EF
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8D5EF rdtsc 0_2_00A8D5EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090B7E6 LdrInitializeThunk,0_2_0090B7E6
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE0C2D GetSystemTime,GetFileTime,0_2_00AE0C2D

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		261
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS261
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe47%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1564520
Start date and time:2024-11-28 13:09:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.4768526205273
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'778'624 bytes
MD5:2b03b480ec8647afe04d151fcb12ee99
SHA1:a1c3a8992aefbdc1b98275419e2971cdf306ecbb
SHA256:1641d8934363108f30946bdd68dbed807afa8a16c11b0908857ac6ae7015313e
SHA512:0d4ff2dbdef1192b1b536453ef9cb1a7d65769b05064d2f9ec3a159185bc370f3e12d238b1240e344c51f2f5e19899a4cb40110733469e5c1e94658f60566856
SSDEEP:49152:mIRu4A3yrjW803OYWtEZxstdIgNiMZja+WO+8Lk4:mIR+CrjWz3OYWtEfstVNid
TLSH:CBD52A92A449F1CFD8CB32B4952BCD8A697D0BB9072008E7AD6DF4B97DA3CC115B5C14
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ....................... +.....28+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6ae000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F20A0B8E7DAh
cmove ebp, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200097241b7d177ff60914c3533c09b0ac2False0.9283854166666666data7.748930454036839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ovmsqngl0xa0000x2a20000x2a060027ee3db85ae0f178588ef762acfd53a4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gzdrleae0x2ac0000x20000x4005f52f54e98bc77cf15396dedcd2400bbFalse0.7939453125data6.252638231754054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2ae0000x40000x220015132aeb933fbbeefcf00d18bb831257False0.06996783088235294DOS executable (COM)0.8995344303033139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:07:10:01
Start date:28/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x900000
File size:2'778'624 bytes
MD5 hash:2B03B480EC8647AFE04D151FCB12EE99
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.6%
    Dynamic/Decrypted Code Coverage:4.9%
    Signature Coverage:2%
    Total number of Nodes:306
    Total number of Limit Nodes:16
    execution_graph 8058 a9a2aa 8060 a99208 8058->8060 8059 a9ae1c 8060->8059 8061 a99f28 RegOpenKeyA 8060->8061 8062 a99f4f RegOpenKeyA 8060->8062 8063 a99fb0 GetNativeSystemInfo 8060->8063 8061->8060 8061->8062 8062->8060 8063->8060 8064 90e794 8065 90ea2d VirtualAlloc 8064->8065 8067 90f614 8065->8067 8068 ae142a 8070 ae1433 8068->8070 8075 adcae0 GetCurrentThreadId 8070->8075 8072 ae143f 8073 ae148f ReadFile 8072->8073 8074 ae1458 8072->8074 8073->8074 8076 adcaf8 8075->8076 8077 adcb3f 8076->8077 8078 adcb2e Sleep 8076->8078 8077->8072 8078->8076 8079 ae1d67 8080 adcae0 2 API calls 8079->8080 8081 ae1d73 8080->8081 8082 ae1ddb MapViewOfFileEx 8081->8082 8083 ae1d8c 8081->8083 8082->8083 8084 ade7a2 8085 adcae0 2 API calls 8084->8085 8086 ade7ae 8085->8086 8089 ade7cc 8086->8089 8091 add1f2 8086->8091 8088 ade7fd GetModuleHandleExA 8090 ade7d4 8088->8090 8089->8088 8089->8090 8092 add240 8091->8092 8094 add203 8091->8094 8092->8089 8094->8092 8095 add093 8094->8095 8097 add0c0 8095->8097 8096 add1c6 8096->8094 8097->8096 8098 add0ee PathAddExtensionA 8097->8098 8099 add109 8097->8099 8098->8099 8104 add12b 8099->8104 8107 adcd34 8099->8107 8101 add174 8101->8096 8102 add19d 8101->8102 8103 adcd34 lstrcmpiA 8101->8103 8102->8096 8106 adcd34 lstrcmpiA 8102->8106 8103->8102 8104->8096 8104->8101 8105 adcd34 lstrcmpiA 8104->8105 8105->8101 8106->8096 8108 adcd52 8107->8108 8109 adcd69 8108->8109 8111 adccb1 8108->8111 8109->8104 8112 adccdc 8111->8112 8113 adcd0e lstrcmpiA 8112->8113 8114 adcd24 8112->8114 8113->8114 8114->8109 8115 a8d578 CreateFileA 8116 4e410f0 8117 4e41131 8116->8117 8120 adf834 8117->8120 8118 4e41151 8121 adcae0 2 API calls 8120->8121 8122 adf840 8121->8122 8123 adf869 8122->8123 8124 adf859 8122->8124 8126 adf86e CloseHandle 8123->8126 8128 ade920 8124->8128 8127 adf85f 8126->8127 8127->8118 8131 adc98b 8128->8131 8132 adc9a1 8131->8132 8134 adc9bb 8132->8134 8135 adc96f 8132->8135 8134->8127 8138 ade8f9 CloseHandle 8135->8138 8137 adc97f 8137->8134 8139 ade90d 8138->8139 8139->8137 8140 ade5b4 8142 ade5c0 8140->8142 8143 ade5d9 8142->8143 8144 ade62c 8143->8144 8149 ade477 8143->8149 8151 ade486 8149->8151 8152 adcae0 2 API calls 8151->8152 8153 ade492 8152->8153 8154 ade581 8153->8154 8155 ade4a2 8153->8155 8159 ade586 GetModuleFileNameA 8154->8159 8156 ade504 GetFullPathNameA 8155->8156 8157 ade4b6 GetModuleFileNameA 8155->8157 8160 ade525 8156->8160 8158 ade4d5 8157->8158 8158->8160 8159->8160 8161 ade2f7 8164 ade13f 8161->8164 8167 ade1a6 8164->8167 8169 ade1b3 8167->8169 8170 ade1c9 8169->8170 8173 adcae0 2 API calls 8170->8173 8179 ade1d1 8170->8179 8171 ade29e 8200 addfde 8171->8200 8172 ade2b1 8176 ade2cf LoadLibraryExA 8172->8176 8177 ade2bb LoadLibraryExW 8172->8177 8174 ade1f3 8173->8174 8178 add1f2 2 API calls 8174->8178 8183 ade275 8176->8183 8177->8183 8180 ade204 8178->8180 8179->8171 8179->8172 8180->8179 8181 ade232 8180->8181 8184 addb1e 8181->8184 8185 addb3a 8184->8185 8186 addb44 8184->8186 8185->8183 8204 add371 8186->8204 8193 addb94 8194 addbc1 8193->8194 8199 addbf9 8193->8199 8214 add54f 8193->8214 8218 add7ea 8194->8218 8197 addbcc 8197->8199 8223 add761 8197->8223 8199->8185 8227 ade330 8199->8227 8201 addfe9 8200->8201 8202 addff9 8201->8202 8203 ade00a LoadLibraryExA 8201->8203 8202->8183 8203->8202 8205 add3e6 8204->8205 8206 add38d 8204->8206 8205->8185 8208 add417 VirtualAlloc 8205->8208 8206->8205 8207 add3bd VirtualAlloc 8206->8207 8207->8205 8209 add45c 8208->8209 8209->8199 8210 add494 8209->8210 8213 add4bc 8210->8213 8211 add4d5 VirtualAlloc 8212 add533 8211->8212 8211->8213 8212->8193 8213->8211 8213->8212 8216 add56a 8214->8216 8217 add56f 8214->8217 8215 add5a2 lstrcmpiA 8215->8216 8215->8217 8216->8194 8217->8215 8217->8216 8220 add8f6 8218->8220 8221 add817 8218->8221 8220->8197 8221->8220 8229 add2fc 8221->8229 8237 ade40d 8221->8237 8224 add78a 8223->8224 8225 add7cb 8224->8225 8226 add7a2 VirtualProtect 8224->8226 8225->8199 8226->8224 8226->8225 8263 ade33c 8227->8263 8230 ade13f 16 API calls 8229->8230 8231 add30f 8230->8231 8232 add361 8231->8232 8234 add338 8231->8234 8236 add355 8231->8236 8233 ade330 3 API calls 8232->8233 8233->8236 8235 ade330 3 API calls 8234->8235 8234->8236 8235->8236 8236->8221 8239 ade416 8237->8239 8240 ade425 8239->8240 8241 ade42d 8240->8241 8243 adcae0 2 API calls 8240->8243 8242 ade45a GetProcAddress 8241->8242 8248 ade450 8242->8248 8244 ade437 8243->8244 8245 ade455 8244->8245 8246 ade447 8244->8246 8245->8242 8249 adde6e 8246->8249 8250 addf5a 8249->8250 8251 adde8d 8249->8251 8250->8248 8251->8250 8252 addeca lstrcmpiA 8251->8252 8253 addef4 8251->8253 8252->8251 8252->8253 8253->8250 8255 adddb7 8253->8255 8257 adddc8 8255->8257 8256 adde53 8256->8250 8257->8256 8258 adddf8 lstrcpyn 8257->8258 8258->8256 8260 adde14 8258->8260 8259 add2fc 15 API calls 8261 adde42 8259->8261 8260->8256 8260->8259 8261->8256 8262 ade40d 15 API calls 8261->8262 8262->8256 8264 ade34b 8263->8264 8266 adcae0 2 API calls 8264->8266 8269 ade353 8264->8269 8265 ade3a1 FreeLibrary 8271 ade388 8265->8271 8267 ade35d 8266->8267 8268 ade36d 8267->8268 8267->8269 8272 addd1e 8268->8272 8269->8265 8273 addd81 8272->8273 8274 addd41 8272->8274 8273->8271 8274->8273 8276 adc8da 8274->8276 8277 adc8e3 8276->8277 8278 adc8fb 8277->8278 8280 adc8c1 8277->8280 8278->8273 8281 ade330 3 API calls 8280->8281 8282 adc8ce 8281->8282 8282->8277 8283 ae10b0 8285 ae10bc 8283->8285 8286 adcae0 2 API calls 8285->8286 8287 ae10c8 8286->8287 8289 ae10e8 8287->8289 8290 ae1007 8287->8290 8292 ae1013 8290->8292 8293 ae1027 8292->8293 8294 adcae0 2 API calls 8293->8294 8295 ae103f 8294->8295 8303 add244 8295->8303 8298 add1f2 2 API calls 8299 ae1062 8298->8299 8300 ae106a 8299->8300 8301 ae1086 GetFileAttributesW 8299->8301 8302 ae1097 GetFileAttributesA 8299->8302 8301->8300 8302->8300 8304 add2f8 8303->8304 8305 add258 8303->8305 8304->8298 8304->8300 8305->8304 8306 add093 2 API calls 8305->8306 8306->8305 8307 ade40d 8308 ade416 16 API calls 8307->8308 8309 a96d08 8310 a96fa1 LoadLibraryA 8309->8310 8311 ade64f 8313 ade65b 8311->8313 8314 ade66f 8313->8314 8316 ade697 8314->8316 8317 ade6b0 8314->8317 8319 ade6b9 8317->8319 8320 ade6c8 8319->8320 8321 ade6d0 8320->8321 8322 adcae0 2 API calls 8320->8322 8323 ade781 GetModuleHandleA 8321->8323 8324 ade773 GetModuleHandleW 8321->8324 8325 ade6da 8322->8325 8328 ade708 8323->8328 8324->8328 8326 ade6f5 8325->8326 8327 add1f2 2 API calls 8325->8327 8326->8321 8326->8328 8327->8326 8329 ae1c09 8331 ae1c15 8329->8331 8333 ae1c2d 8331->8333 8334 ae1c57 8333->8334 8335 ae1b43 8333->8335 8337 ae1b4f 8335->8337 8338 adcae0 2 API calls 8337->8338 8339 ae1b62 8338->8339 8340 ae1b7c 8339->8340 8341 ae1bdb 8339->8341 8342 ae1ba0 8339->8342 8343 ae1be0 CreateFileMappingA 8341->8343 8342->8340 8345 adf21a 8342->8345 8343->8340 8347 adf231 8345->8347 8346 adf29a CreateFileA 8349 adf2df 8346->8349 8347->8346 8348 adf32e 8347->8348 8348->8340 8349->8348 8350 ade8f9 CloseHandle 8349->8350 8350->8348 8351 90e438 VirtualAlloc 8352 90e44e 8351->8352 8353 4e40d48 8354 4e40d93 OpenSCManagerW 8353->8354 8356 4e40ddc 8354->8356 8357 4e41308 8358 4e41349 ImpersonateLoggedOnUser 8357->8358 8359 4e41376 8358->8359 8364 4e415d0 8365 4e4164e ChangeServiceConfigA 8364->8365 8367 4e418da 8365->8367 8368 4e41510 8369 4e41558 ControlService 8368->8369 8370 4e4158f 8369->8370 8371 ae0b9b 8372 adcae0 2 API calls 8371->8372 8373 ae0ba7 GetCurrentProcess 8372->8373 8374 ae0bf3 8373->8374 8376 ae0bb7 8373->8376 8375 ae0bf8 DuplicateHandle 8374->8375 8379 ae0bee 8375->8379 8376->8374 8377 ae0be2 8376->8377 8380 ade938 8377->8380 8383 ade962 8380->8383 8381 ade9f5 8381->8379 8382 ade920 CloseHandle 8382->8381 8383->8381 8383->8382 8384 ade318 8387 ade158 8384->8387 8389 ade164 8387->8389 8390 ade179 8389->8390 8391 ade1a6 16 API calls 8390->8391 8392 ade197 8390->8392 8391->8392 8393 90b7e6 8394 90b7eb 8393->8394 8395 90b956 LdrInitializeThunk 8394->8395 8396 ae1317 8398 ae1323 8396->8398 8399 adcae0 2 API calls 8398->8399 8400 ae132f 8399->8400 8402 ae134f 8400->8402 8403 ae1223 8400->8403 8405 ae122f 8403->8405 8406 ae1243 8405->8406 8407 adcae0 2 API calls 8406->8407 8408 ae125b 8407->8408 8409 ae1270 8408->8409 8429 ae113c 8408->8429 8413 ae1278 8409->8413 8421 ae11e1 IsBadWritePtr 8409->8421 8416 ae12ec CreateFileA 8413->8416 8417 ae12c9 CreateFileW 8413->8417 8414 add1f2 2 API calls 8415 ae12ab 8414->8415 8415->8413 8418 ae12b3 8415->8418 8420 ae12b9 8416->8420 8417->8420 8423 adea36 8418->8423 8422 ae1203 8421->8422 8422->8413 8422->8414 8424 adea43 8423->8424 8425 adea7c CreateFileA 8424->8425 8428 adeb3e 8424->8428 8426 adeac8 8425->8426 8427 ade8f9 CloseHandle 8426->8427 8426->8428 8427->8428 8428->8420 8431 ae114b GetWindowsDirectoryA 8429->8431 8432 ae1175 8431->8432 8433 a89e92 LoadLibraryA 8434 a89e9a 8433->8434 8435 a8d654 8436 a8d65e CreateFileA 8435->8436 8438 a8d70b 8436->8438

    Executed Functions

    Function 04E415D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 330 4e415d0-4e4165a 332 4e41693-4e416b5 330->332 333 4e4165c-4e41666 330->333 340 4e416b7-4e416c4 332->340 341 4e416f1-4e41712 332->341 333->332 334 4e41668-4e4166a 333->334 335 4e4166c-4e41676 334->335 336 4e4168d-4e41690 334->336 338 4e41678 335->338 339 4e4167a-4e41689 335->339 336->332 338->339 339->339 342 4e4168b 339->342 340->341 343 4e416c6-4e416c8 340->343 349 4e41714-4e4171e 341->349 350 4e4174b-4e4176d 341->350 342->336 344 4e416ca-4e416d4 343->344 345 4e416eb-4e416ee 343->345 347 4e416d6 344->347 348 4e416d8-4e416e7 344->348 345->341 347->348 348->348 351 4e416e9 348->351 349->350 352 4e41720-4e41722 349->352 356 4e4176f-4e4177c 350->356 357 4e417a9-4e417ca 350->357 351->345 354 4e41724-4e4172e 352->354 355 4e41745-4e41748 352->355 358 4e41730 354->358 359 4e41732-4e41741 354->359 355->350 356->357 360 4e4177e-4e41780 356->360 367 4e41803-4e41825 357->367 368 4e417cc-4e417d6 357->368 358->359 359->359 361 4e41743 359->361 362 4e41782-4e4178c 360->362 363 4e417a3-4e417a6 360->363 361->355 365 4e41790-4e4179f 362->365 366 4e4178e 362->366 363->357 365->365 369 4e417a1 365->369 366->365 374 4e41827-4e41834 367->374 375 4e41861-4e418d8 ChangeServiceConfigA 367->375 368->367 370 4e417d8-4e417da 368->370 369->363 372 4e417dc-4e417e6 370->372 373 4e417fd-4e41800 370->373 376 4e417e8 372->376 377 4e417ea-4e417f9 372->377 373->367 374->375 379 4e41836-4e41838 374->379 383 4e418e1-4e41920 375->383 384 4e418da-4e418e0 375->384 376->377 377->377 378 4e417fb 377->378 378->373 380 4e4183a-4e41844 379->380 381 4e4185b-4e4185e 379->381 385 4e41846 380->385 386 4e41848-4e41857 380->386 381->375 390 4e41930-4e41934 383->390 391 4e41922-4e41926 383->391 384->383 385->386 386->386 388 4e41859 386->388 388->381 393 4e41944-4e41948 390->393 394 4e41936-4e4193a 390->394 391->390 392 4e41928-4e4192b call 4e4013c 391->392 392->390 397 4e41958-4e4195c 393->397 398 4e4194a-4e4194e 393->398 394->393 396 4e4193c-4e4193f call 4e4013c 394->396 396->393 399 4e4196c-4e41970 397->399 400 4e4195e-4e41962 397->400 398->397 402 4e41950-4e41953 call 4e4013c 398->402 404 4e41980-4e41984 399->404 405 4e41972-4e41976 399->405 400->399 403 4e41964-4e41967 call 4e4013c 400->403 402->397 403->399 409 4e41994 404->409 410 4e41986-4e4198a 404->410 405->404 408 4e41978-4e4197b call 4e4013c 405->408 408->404 414 4e41995 409->414 410->409 412 4e4198c-4e4198f call 4e4013c 410->412 412->409 414->414
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04E418C8
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 0744066058694a4f0b6783aac595b855c0e67a09d8480239fa540d0d3ef52d56
    • Instruction ID: e167edc2716138ef09439bdf291b45787faa6ac1d5d1b6fb2b6a334b64e1604d
    • Opcode Fuzzy Hash: 0744066058694a4f0b6783aac595b855c0e67a09d8480239fa540d0d3ef52d56
    • Instruction Fuzzy Hash: E7C16B71D102599FEF10CFA8E8497AEFBF1BF89314F049629E854E7244D774A891CB81
    Function 00A8D5EF Relevance: 1.7, APIs: 1, Instructions: 166fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 454 a8d5ef-a8d605 456 a8d60b-a8d60c 454->456 457 a8d60d-a8d6ba 454->457 456->457 464 a8d6c8-a8d6f6 457->464 465 a8d6c0-a8d6c7 457->465 468 a8d6fc 464->468 469 a8d702-a8d705 CreateFileA 464->469 465->464 468->469 470 a8d70b-a8d752 469->470 471 a8d8d6-a8d8d8 469->471 479 a8d753-a8d790 call a8d78e 470->479 473 a8d8de 471->473 474 a8d8e4-a8d8ef call a8d8f2 471->474 473->474 484 a8d792-a8d79f 479->484 485 a8d7ab-a8d7db call a8d7de 484->485 486 a8d7a5-a8d7aa 484->486 485->471 486->485
    APIs
    • CreateFileA.KERNELBASE(CAB9006A), ref: 00A8D702
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 42b82c15467527ee708a88525d442dfd569f9b9c4f75c9f2d6f72e0b1c5d05bb
    • Instruction ID: 688aa41bdffc577d07140c6e9ad023ad055fa453c87f027004d7915842f71d53
    • Opcode Fuzzy Hash: 42b82c15467527ee708a88525d442dfd569f9b9c4f75c9f2d6f72e0b1c5d05bb
    • Instruction Fuzzy Hash: 4341B3F71981187DF601EE45AB50AFA7B7DE7C7730F30842AF846D6982E2A10D095739
    Function 0090B7E6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 829d7c7b97b0e8b32f882e836aa8f6dc2059ec4c0802aa654021f618b4ea0fe0
    • Instruction ID: 6d14c0b2864537c8a8167ec97d11a87aeae66e54da03deedbb028db522a7c917
    • Opcode Fuzzy Hash: 829d7c7b97b0e8b32f882e836aa8f6dc2059ec4c0802aa654021f618b4ea0fe0
    • Instruction Fuzzy Hash: 73E0C27214458D8ECF2A9F60C801B9A770DEF90704F204114FF119AEC9CB3D4C118795
    Function 00ADE1B3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00ADE2C4
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00ADE2D8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 2e4661d442e1da3361b245fa4180f18605eb4b808e78091b620a32807f94b9c7
    • Instruction ID: a9afd86c7209a157b9af2e4912361d43e818fce90263d3b424991397a6e20f9b
    • Opcode Fuzzy Hash: 2e4661d442e1da3361b245fa4180f18605eb4b808e78091b620a32807f94b9c7
    • Instruction Fuzzy Hash: A8318B31400209AFDF25FFA0DA05AED7B79FF18350F10416BF9079A261C7319AA0EB90
    Function 00ADE6B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 ade6b9-ade6ca call ade01d 40 ade6d5-ade6de call adcae0 37->40 41 ade6d0 37->41 48 ade6e4-ade6f0 call add1f2 40->48 49 ade712-ade719 40->49 42 ade769-ade76d 41->42 44 ade781-ade784 GetModuleHandleA 42->44 45 ade773-ade77c GetModuleHandleW 42->45 47 ade78a 44->47 45->47 51 ade794-ade796 47->51 54 ade6f5-ade6f7 48->54 52 ade71f-ade726 49->52 53 ade764 call adcb8b 49->53 52->53 55 ade72c-ade733 52->55 53->42 54->53 57 ade6fd-ade702 54->57 55->53 58 ade739-ade740 55->58 57->53 59 ade708-ade78f call adcb8b 57->59 58->53 60 ade746-ade75a 58->60 59->51 60->53
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00ADE64B,?,00000000,00000000), ref: 00ADE776
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00ADE64B,?,00000000,00000000), ref: 00ADE784
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 79f3fa5376d6cf435a3f20d137acc05442cce466245e804db7a87e80253cbc63
    • Instruction ID: 8971feb06ca60a118d5c76d18dee00bcba1b6a3ce71b98c4f88634b4fecfa716
    • Opcode Fuzzy Hash: 79f3fa5376d6cf435a3f20d137acc05442cce466245e804db7a87e80253cbc63
    • Instruction Fuzzy Hash: C4115E71600706EEEBB0FF24CA497997A71BF00359F004227E4174C6A1E7B599E4EA92
    Function 00AE1013 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 ae1013-ae1021 65 ae1027-ae102e 64->65 66 ae1033 64->66 67 ae103a-ae1050 call adcae0 call add244 65->67 66->67 72 ae106f 67->72 73 ae1056-ae1064 call add1f2 67->73 75 ae1073-ae1076 72->75 79 ae106a 73->79 80 ae107b-ae1080 73->80 77 ae10a6-ae10ad call adcb8b 75->77 79->75 82 ae1086-ae1092 GetFileAttributesW 80->82 83 ae1097-ae109a GetFileAttributesA 80->83 84 ae10a0-ae10a1 82->84 83->84 84->77
    APIs
    • GetFileAttributesW.KERNELBASE(00D5125C,-119C5FEC), ref: 00AE108C
    • GetFileAttributesA.KERNEL32(00000000,-119C5FEC), ref: 00AE109A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 0a707c30988803be58499488d420dadcbde50c28e66483a3214b654ac7c4978d
    • Instruction ID: 7e4412391cd49f4afbdae984881907fcc953552368fa2768000f2201ad5cd9d0
    • Opcode Fuzzy Hash: 0a707c30988803be58499488d420dadcbde50c28e66483a3214b654ac7c4978d
    • Instruction Fuzzy Hash: 0E01AF725042E5FEDF319F65CA09B9C7FB1AF40384F604126F407A90A1C7B09AD2EB80
    Function 00ADE486 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 ade486-ade49c call adcae0 call addf65 90 ade581-ade59c call adcb8b GetModuleFileNameA 85->90 91 ade4a2-ade4b0 85->91 101 ade5a6-ade5b1 90->101 92 ade504-ade51f GetFullPathNameA 91->92 93 ade4b6-ade4d3 GetModuleFileNameA 91->93 97 ade525-ade53d 92->97 98 ade5a1 call adcb8b 92->98 95 ade4d5-ade4d8 93->95 99 ade4de-ade4df 95->99 100 ade4e4-ade4e6 95->100 105 ade564-ade57c 97->105 106 ade543-ade55f 97->106 98->101 99->95 104 ade4e8-ade4eb 100->104 107 ade4fc-ade4ff 104->107 108 ade4f1-ade4f7 104->108 105->98 106->98 107->97 108->104
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • GetModuleFileNameA.KERNEL32(00000000,?,0000028B,-119C5FEC,00000000,?), ref: 00ADE4C6
    • GetFullPathNameA.KERNEL32(?,0000028B,?,00000000,-119C5FEC,?), ref: 00ADE516
    • GetModuleFileNameA.KERNELBASE(?,?,?,?), ref: 00ADE58F
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: Name$FileModule$CurrentFullPathSleepThread
    • String ID:
    • API String ID: 90702387-0
    • Opcode ID: 7383d72337481da04e41c9c6920885d1ad9c9ebbe513e835549b9e1ec2186bca
    • Instruction ID: b7d730c9a8875ceafbef793ff6852ca7bf707a7316c80f8818ba5785dd96c6da
    • Opcode Fuzzy Hash: 7383d72337481da04e41c9c6920885d1ad9c9ebbe513e835549b9e1ec2186bca
    • Instruction Fuzzy Hash: E8317FB150025AEFEB21EF64DD88F9EBBB4FF05394F000196F40B9A250D7B05A91CB20
    Function 00A99D43 Relevance: 4.6, APIs: 3, Instructions: 72registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 111 a99d43-a99d47 112 a99efd-a99f26 111->112 113 a99d64-a99d67 111->113 116 a99f28-a99f43 RegOpenKeyA 112->116 117 a99f4f-a99f6a RegOpenKeyA 112->117 113->112 116->117 120 a99f45 116->120 118 a99f6c-a99f76 117->118 119 a99f82-a99fae 117->119 118->119 123 a99fbb-a99fc5 119->123 124 a99fb0-a99fb9 GetNativeSystemInfo 119->124 120->117 125 a99fd1-a99fdf 123->125 126 a99fc7 123->126 124->123 128 a99feb-a99ff2 125->128 129 a99fe1 125->129 126->125 130 a99ff8-a99fff 128->130 131 a9a005 128->131 129->128 130->131 132 a9ae0f-a9ae16 130->132 131->132 133 a99208-a99211 132->133 134 a9ae1c-a9ae2b 132->134 133->113
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00A99F3B
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00A99F62
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00A99FB9
    Memory Dump Source
    • Source File: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 83feab08d5c9cb0b436cb4a517fdf38aa6d1d1b23193cf4cce9774d5b8f86dda
    • Instruction ID: b8d1588c0191f7b5ecf1dc22e350dc21fbfaf5ec86d51620ff20efd328c24674
    • Opcode Fuzzy Hash: 83feab08d5c9cb0b436cb4a517fdf38aa6d1d1b23193cf4cce9774d5b8f86dda
    • Instruction Fuzzy Hash: E131387150420EAFDF12CF24C988BEF3BE9EF05314F00052AE94286945EBB65DA4DF59
    Function 00ADD093 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 135 add093-add0c3 137 add1ee-add1ef 135->137 138 add0c9-add0de 135->138 138->137 140 add0e4-add0e8 138->140 141 add0ee-add100 PathAddExtensionA 140->141 142 add10a-add111 140->142 145 add109 141->145 143 add117-add126 call adcd34 142->143 144 add133-add13a 142->144 151 add12b-add12d 143->151 147 add17c-add183 144->147 148 add140-add147 144->148 145->142 149 add189-add19f call adcd34 147->149 150 add1a5-add1ac 147->150 152 add14d-add156 148->152 153 add160-add16f call adcd34 148->153 149->137 149->150 155 add1ce-add1d5 150->155 156 add1b2-add1c8 call adcd34 150->156 151->137 151->144 152->153 157 add15c 152->157 162 add174-add176 153->162 155->137 161 add1db-add1e8 call adcd6d 155->161 156->137 156->155 157->153 161->137 162->137 162->147
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00ADD0F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: b671766f31612e9e2c6eb71ebd64681e121d3d1f66402c84b3d1d1129e1c9fa7
    • Instruction ID: d54e1d9c8ff6ab023d5603ecb6da98f208795e0f7267a7bdd4730141558a7d7d
    • Opcode Fuzzy Hash: b671766f31612e9e2c6eb71ebd64681e121d3d1f66402c84b3d1d1129e1c9fa7
    • Instruction Fuzzy Hash: F131F935A0020ABFDF21DF94CD09F9EBB76FF04754F000266FA02A91A0D7B69A65DB54
    Function 00ADE7A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 166 ade7a2-ade7b5 call adcae0 169 ade7f8-ade80c call adcb8b GetModuleHandleExA 166->169 170 ade7bb-ade7c7 call add1f2 166->170 176 ade816-ade818 169->176 174 ade7cc-ade7ce 170->174 174->169 175 ade7d4-ade7db 174->175 177 ade7e4-ade811 call adcb8b 175->177 178 ade7e1 175->178 177->176 178->177
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00ADE806
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 172f7f0a66337945118487d49a175e09794b4632c502befb98a870a12e0acd10
    • Instruction ID: 9a7950cc8a082cbe427b312461df618c179a639da767b13275866e487bf370f2
    • Opcode Fuzzy Hash: 172f7f0a66337945118487d49a175e09794b4632c502befb98a870a12e0acd10
    • Instruction Fuzzy Hash: 9DF03075200206AFEF10EF64C985AAD3BB5FF14360F508523FD1789252D731C551EA51
    Function 00AE122F Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 181 ae122f-ae123d 182 ae124f 181->182 183 ae1243-ae124a 181->183 184 ae1256-ae1262 call adcae0 182->184 183->184 187 ae127d-ae128d call ae11e1 184->187 188 ae1268-ae1272 call ae113c 184->188 194 ae129f-ae12ad call add1f2 187->194 195 ae1293-ae129a 187->195 188->187 193 ae1278 188->193 196 ae12be-ae12c3 193->196 194->196 202 ae12b3-ae12b4 call adea36 194->202 195->196 199 ae12ec-ae1301 CreateFileA 196->199 200 ae12c9-ae12e7 CreateFileW 196->200 201 ae1307-ae1308 199->201 200->201 203 ae130d-ae1314 call adcb8b 201->203 206 ae12b9 202->206 206->203
    APIs
    • CreateFileW.KERNELBASE(00D5125C,?,?,-119C5FEC,?,?,?,-119C5FEC,?), ref: 00AE12E1
      • Part of subcall function 00AE11E1: IsBadWritePtr.KERNEL32(?,00000004), ref: 00AE11EF
    • CreateFileA.KERNEL32(?,?,?,-119C5FEC,?,?,?,-119C5FEC,?), ref: 00AE1301
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 3eaa3396f0de4664447f113ee7303ff54b1f0530fb46fcbe859a72ca953b5087
    • Instruction ID: 7726898d0115f0a7470b6f1acb9f910f4bcc1a7206db3e5939c5c75804ec7e95
    • Opcode Fuzzy Hash: 3eaa3396f0de4664447f113ee7303ff54b1f0530fb46fcbe859a72ca953b5087
    • Instruction Fuzzy Hash: 5411E47210419AFBDF229FA1CE05BDD3E72BF04345F144126FA06A8461C336C9B1EB91
    Function 00AE0B9B Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 208 ae0b9b-ae0bb1 call adcae0 GetCurrentProcess 211 ae0bb7-ae0bba 208->211 212 ae0bf3-ae0c15 call adcb8b DuplicateHandle 208->212 211->212 214 ae0bc0-ae0bc3 211->214 217 ae0c1f-ae0c21 212->217 214->212 216 ae0bc9-ae0bdc call adc93a 214->216 216->212 220 ae0be2-ae0c1a call ade938 call adcb8b 216->220 220->217
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • GetCurrentProcess.KERNEL32(-119C5FEC), ref: 00AE0BA8
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AE0C0E
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 8ca31a1523b31689cf8272a8ab39cd5e9dfec830eadae06d26ef668ac8dd7105
    • Instruction ID: 3cecca53b7c773b06b6b422e94766177ea5fb0baf233986f2ca80159c35148e1
    • Opcode Fuzzy Hash: 8ca31a1523b31689cf8272a8ab39cd5e9dfec830eadae06d26ef668ac8dd7105
    • Instruction Fuzzy Hash: AC01693210018AFBCF22AFA5DD05CDE3B35BF987A47004222F90691120CB71D5A2EB61
    Function 00ADE5C0 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 225 ade5c0-ade5de call adcbbe 228 ade634-ade639 225->228 229 ade5e4-ade5eb call ade477 225->229 231 ade5f0-ade5f6 229->231 232 ade5fc-ade610 GetModuleFileNameW 231->232 233 ade615-ade62b MultiByteToWideChar 231->233 234 ade62c-ade62f call adcbe3 232->234 233->234 234->228
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,?,-119C5FEC,?,00000000,?,?), ref: 00ADE606
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,-119C5FEC,?,00000000,?,?), ref: 00ADE625
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: ByteCharFileModuleMultiNameWide
    • String ID:
    • API String ID: 1532159127-0
    • Opcode ID: 4325fbd421b13b814c7eca6ffb4751c9be7dfe57c3c7909e0aeb24cb9cc7ef9f
    • Instruction ID: aaf7c4091faccb869e7d9612a4498f43e0db1818c033aa96b3b324bc7d9a78fb
    • Opcode Fuzzy Hash: 4325fbd421b13b814c7eca6ffb4751c9be7dfe57c3c7909e0aeb24cb9cc7ef9f
    • Instruction Fuzzy Hash: 3F01D67150028AFBDF12EFA4CD09E9E7F72FF55354F108166F526592A0C7719660EB40
    Function 00ADCAE0 Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 236 adcae0-adcaf6 GetCurrentThreadId 237 adcaf8-adcb04 236->237 238 adcb3f-adcb4c 237->238 239 adcb0a-adcb0c 237->239 239->238 240 adcb12-adcb19 239->240 241 adcb1f-adcb26 240->241 242 adcb2e-adcb3a Sleep 240->242 241->242 244 adcb2c 241->244 242->237 244->242
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 5d9aba1ed4fed326453fb73aea170618c335c4069dda6e1961d124e8f2cb1f25
    • Instruction ID: 519fe03055ba5b585d8ad000fb6b22a803fdcf8e19b977e92d6695d0fe48657d
    • Opcode Fuzzy Hash: 5d9aba1ed4fed326453fb73aea170618c335c4069dda6e1961d124e8f2cb1f25
    • Instruction Fuzzy Hash: E1F0523110224AEFDB219F61C9597AFB7B4FF0032AF60017BE10389241D7F06A85DA81
    Function 04E415C4 Relevance: 1.8, APIs: 1, Instructions: 302COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 4e415c4-4e4165a 247 4e41693-4e416b5 245->247 248 4e4165c-4e41666 245->248 255 4e416b7-4e416c4 247->255 256 4e416f1-4e41712 247->256 248->247 249 4e41668-4e4166a 248->249 250 4e4166c-4e41676 249->250 251 4e4168d-4e41690 249->251 253 4e41678 250->253 254 4e4167a-4e41689 250->254 251->247 253->254 254->254 257 4e4168b 254->257 255->256 258 4e416c6-4e416c8 255->258 264 4e41714-4e4171e 256->264 265 4e4174b-4e4176d 256->265 257->251 259 4e416ca-4e416d4 258->259 260 4e416eb-4e416ee 258->260 262 4e416d6 259->262 263 4e416d8-4e416e7 259->263 260->256 262->263 263->263 266 4e416e9 263->266 264->265 267 4e41720-4e41722 264->267 271 4e4176f-4e4177c 265->271 272 4e417a9-4e417ca 265->272 266->260 269 4e41724-4e4172e 267->269 270 4e41745-4e41748 267->270 273 4e41730 269->273 274 4e41732-4e41741 269->274 270->265 271->272 275 4e4177e-4e41780 271->275 282 4e41803-4e41825 272->282 283 4e417cc-4e417d6 272->283 273->274 274->274 276 4e41743 274->276 277 4e41782-4e4178c 275->277 278 4e417a3-4e417a6 275->278 276->270 280 4e41790-4e4179f 277->280 281 4e4178e 277->281 278->272 280->280 284 4e417a1 280->284 281->280 289 4e41827-4e41834 282->289 290 4e41861-4e41867 282->290 283->282 285 4e417d8-4e417da 283->285 284->278 287 4e417dc-4e417e6 285->287 288 4e417fd-4e41800 285->288 291 4e417e8 287->291 292 4e417ea-4e417f9 287->292 288->282 289->290 294 4e41836-4e41838 289->294 297 4e41871-4e418d8 ChangeServiceConfigA 290->297 291->292 292->292 293 4e417fb 292->293 293->288 295 4e4183a-4e41844 294->295 296 4e4185b-4e4185e 294->296 300 4e41846 295->300 301 4e41848-4e41857 295->301 296->290 298 4e418e1-4e41920 297->298 299 4e418da-4e418e0 297->299 305 4e41930-4e41934 298->305 306 4e41922-4e41926 298->306 299->298 300->301 301->301 303 4e41859 301->303 303->296 308 4e41944-4e41948 305->308 309 4e41936-4e4193a 305->309 306->305 307 4e41928-4e4192b call 4e4013c 306->307 307->305 312 4e41958-4e4195c 308->312 313 4e4194a-4e4194e 308->313 309->308 311 4e4193c-4e4193f call 4e4013c 309->311 311->308 314 4e4196c-4e41970 312->314 315 4e4195e-4e41962 312->315 313->312 317 4e41950-4e41953 call 4e4013c 313->317 319 4e41980-4e41984 314->319 320 4e41972-4e41976 314->320 315->314 318 4e41964-4e41967 call 4e4013c 315->318 317->312 318->314 324 4e41994 319->324 325 4e41986-4e4198a 319->325 320->319 323 4e41978-4e4197b call 4e4013c 320->323 323->319 329 4e41995 324->329 325->324 327 4e4198c-4e4198f call 4e4013c 325->327 327->324 329->329
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04E418C8
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 232d4f6d108eeff0a37f846f07c8fa404e1ca74f0f5fafcf2135d6dc39ab8941
    • Instruction ID: f18ef1a1d67170fbd58bb84772b27903282e8aaee5149b9aa626fecfc57a8634
    • Opcode Fuzzy Hash: 232d4f6d108eeff0a37f846f07c8fa404e1ca74f0f5fafcf2135d6dc39ab8941
    • Instruction Fuzzy Hash: CBC16A71D102599FEF10CFA8E8497AEFBB1BF89314F049629E854A7244D774A881CB81
    Function 00A8D5D5 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 415 a8d5d5-a8d605 call a8d5ef 419 a8d60b-a8d60c 415->419 420 a8d60d-a8d6ba 415->420 419->420 427 a8d6c8-a8d6f6 420->427 428 a8d6c0-a8d6c7 420->428 431 a8d6fc 427->431 432 a8d702-a8d705 CreateFileA 427->432 428->427 431->432 433 a8d70b-a8d752 432->433 434 a8d8d6-a8d8d8 432->434 442 a8d753-a8d790 call a8d78e 433->442 436 a8d8de 434->436 437 a8d8e4-a8d8ef call a8d8f2 434->437 436->437 447 a8d792-a8d79f 442->447 448 a8d7ab-a8d7db call a8d7de 447->448 449 a8d7a5-a8d7aa 447->449 448->434 449->448
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8ca699a4436491bd8ec272f22b6f9a6e3bfd8ca7c66e99481639bd18cb32083a
    • Instruction ID: 59628b490bcf9b122054afa1d5ea98a1388262a97c7ee2c80f3724549cf25322
    • Opcode Fuzzy Hash: 8ca699a4436491bd8ec272f22b6f9a6e3bfd8ca7c66e99481639bd18cb32083a
    • Instruction Fuzzy Hash: 2341C5B61481486EE701EF55AA50AFA7B7DE7C7730B30806AF446D6482E2A10D095335
    Function 00A8D632 Relevance: 1.6, APIs: 1, Instructions: 146fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(CAB9006A), ref: 00A8D702
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4d61431425d1bbc06a4716aa17b8393fb9bfe3e5a635285afe7b09c27e475930
    • Instruction ID: 407badb4d8d93bb04c548395e508ff2325018102824c18b09a099d2432d9efe1
    • Opcode Fuzzy Hash: 4d61431425d1bbc06a4716aa17b8393fb9bfe3e5a635285afe7b09c27e475930
    • Instruction Fuzzy Hash: 6B31C3F71882097DE601AE45AB50AFF7B7DE7C7730F30842AF846D6982D2A10D095339
    Function 00A8D61F Relevance: 1.6, APIs: 1, Instructions: 146fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(CAB9006A), ref: 00A8D702
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 824aff33cc1d388ba1595293ff4f2a9408e3a7c3fe8982ab1e341f7cc8a0037b
    • Instruction ID: 175227fc407930cdc436e0e6f219f3a3922a108615a87b21443429ebaee3e6a0
    • Opcode Fuzzy Hash: 824aff33cc1d388ba1595293ff4f2a9408e3a7c3fe8982ab1e341f7cc8a0037b
    • Instruction Fuzzy Hash: FE31E6F71881087DE601EE45AB54AFB7B7DE7C3730F30842AF846D6982E2A10D095339
    Function 00A8D654 Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(CAB9006A), ref: 00A8D702
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: abfbe70bf23f98653fecb46e52ac992df0fe431096deb858f8b9191ebb8996f2
    • Instruction ID: e6d97147e58d581e9ee1207a7edc9411de2a500219e5780e0d78119630c17e8c
    • Opcode Fuzzy Hash: abfbe70bf23f98653fecb46e52ac992df0fe431096deb858f8b9191ebb8996f2
    • Instruction Fuzzy Hash: 7E3192F71882196DF601AE45AA54AFE7B7DE7C3730F30842AF846D6982E2A10D095739
    Function 00A89E92 Relevance: 1.6, APIs: 1, Instructions: 126libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 11a9705f8498ffa42778fc212164ef4e7a988593212cc14f6cb6e4a26b325949
    • Instruction ID: a2b27e68ab7c0f186c482b2d3f416da62b7de287f4c7784386b34d89afa8f359
    • Opcode Fuzzy Hash: 11a9705f8498ffa42778fc212164ef4e7a988593212cc14f6cb6e4a26b325949
    • Instruction Fuzzy Hash: 21312DF250C600AFE301AF49D981ABAFBF9FB89330F26482DE2C5D2600D77448449B63
    Function 00A8A028 Relevance: 1.6, APIs: 1, Instructions: 108libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 386c47394fa72a22e8d9a172ba9c647e97c3a215aec33b8ba544f01a792870cd
    • Instruction ID: 1eb0144db5d1a02e4d3bc64c354fe1036ed07e2bba1bc4f7d858f3fed45a3db4
    • Opcode Fuzzy Hash: 386c47394fa72a22e8d9a172ba9c647e97c3a215aec33b8ba544f01a792870cd
    • Instruction Fuzzy Hash: 6C3115B210D700AFE7166F18DC816BEFBE5FF94364F12482EE6C142600DA3A5480DB57
    Function 00ADF21A Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00ADF2CF
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3aeaf35d37f557bc2da9caedf96a4782a2a0292c12ed5e7d49c59b86130cfd6f
    • Instruction ID: c9f52d75935c9dfe9ee52afa7a782fa6314be1f0771c83285bd12e118210cfaf
    • Opcode Fuzzy Hash: 3aeaf35d37f557bc2da9caedf96a4782a2a0292c12ed5e7d49c59b86130cfd6f
    • Instruction Fuzzy Hash: C2319E71900209FEEB209F64DC45F9EBBB8FF04724F20816AF917AA291C771AA51DB10
    Function 00ADEA36 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00ADEAB8
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ee8fb57420808b4337a616d5c9e6c83ffda4a790fc76a0b2045e2ea956a22c6f
    • Instruction ID: a002ba26d6cdc54d77774724a91568ce9971f0335637c9712433c64ee5a86dac
    • Opcode Fuzzy Hash: ee8fb57420808b4337a616d5c9e6c83ffda4a790fc76a0b2045e2ea956a22c6f
    • Instruction Fuzzy Hash: B9319371600605BAEB20EF64DC45F99B7B8FB04764F20826BF616AE2D1C7B1B942CB54
    Function 00A8D81A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E34554F4,00000003), ref: 00A8D87F
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 371523da358f33eedf9479e185b5de49a21c0c73bb5e8fd6ac480a1916a403de
    • Instruction ID: 8f9fea0d1bf48b48d3be95959c76f7b280cba70f98602a74eb2c01e2ab464788
    • Opcode Fuzzy Hash: 371523da358f33eedf9479e185b5de49a21c0c73bb5e8fd6ac480a1916a403de
    • Instruction Fuzzy Hash: A11144B368835E6AC701BF6999416EE3B6DFB82371F20406AF54296D83D3A25C009768
    Function 04E40D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 946704e1e4619f9ecc3dab9f67fee088d49902098e30a08569cc403cd88f4d57
    • Instruction ID: b1c94599924ff472c45a94a92066684fc572f1a86499f1c654f96f8efb0e4e39
    • Opcode Fuzzy Hash: 946704e1e4619f9ecc3dab9f67fee088d49902098e30a08569cc403cd88f4d57
    • Instruction Fuzzy Hash: 2C2138B6C012099FCB50CF99E484BDEFBF4FF88710F15852AD908AB204D774A544CBA5
    Function 04E40D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 422e1fecbb5dd22f2fc214e75e691d9c8872bdbf702ca635b4a5b69ac22dc390
    • Instruction ID: ebe10657bb813b6a7ab5eb99c659fffb1d40779657d3b62b8b6532487c66a71a
    • Opcode Fuzzy Hash: 422e1fecbb5dd22f2fc214e75e691d9c8872bdbf702ca635b4a5b69ac22dc390
    • Instruction Fuzzy Hash: 2A2115B6C012199FCB50CF99E884BDEFBF4FF88720F14852AD908AB204D774A544CBA5
    Function 04E41509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E41580
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 96a1de97c1d2ad7f7ed729826b2efe57468c7683580489bae1e160da0dd6f4cd
    • Instruction ID: 19e9fc43a2e1fa0c04a8c3733d812be71c2c0f7cc15ac23f42f8aa9cf1905e12
    • Opcode Fuzzy Hash: 96a1de97c1d2ad7f7ed729826b2efe57468c7683580489bae1e160da0dd6f4cd
    • Instruction Fuzzy Hash: AC2103B1D00249CFDB10CF9AD584BDEFBF4AB88324F10842AE558A7250D378A654CFA5
    Function 04E41510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E41580
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 71a7044c42fddf455f6c5e6d0e4992f4631225b71ed6702eda836bc2fd2b659b
    • Instruction ID: 4d0a072a64e030b4ac85374ef3c6644c586218bfd4e28e3e9bbfa9b46eb50b23
    • Opcode Fuzzy Hash: 71a7044c42fddf455f6c5e6d0e4992f4631225b71ed6702eda836bc2fd2b659b
    • Instruction Fuzzy Hash: 6711D3B1D002499FDB10CF9AD584BDEFBF4AB88324F108429E559A3250D778A644CFA5
    Function 00AE1D67 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-119C5FEC), ref: 00AE1DEE
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: ea6d3bfce8a63c2c9cbdce82bf54757c6953a822f50b11cdca66f784297a14b9
    • Instruction ID: 3034289eb3384c743d53c1d789b57e3a16be91ef1811708085717b83def9aba7
    • Opcode Fuzzy Hash: ea6d3bfce8a63c2c9cbdce82bf54757c6953a822f50b11cdca66f784297a14b9
    • Instruction Fuzzy Hash: 1F11E23210019AEFCF12AFA5DD4ACAE3B76BF58351B008512F91295020C736C5B2EBA1
    Function 00AE1B4F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 13f0c8a174911b4f731beee6ac260fba3c8d5f04ecbb67fc336b7f3b94eb5acc
    • Instruction ID: 87b762e01c573ea383bb6ddb389f519095404a931f7d1c2bcfbf47b2510cafbc
    • Opcode Fuzzy Hash: 13f0c8a174911b4f731beee6ac260fba3c8d5f04ecbb67fc336b7f3b94eb5acc
    • Instruction Fuzzy Hash: B9116D7210019AEECF12AFA5CE09EDE3B76BF44354F108126F8038A161D735CA61EBA0
    Function 04E41301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: da640b38635884a66c2f91250c66f1ab68bd74e669aea42ff809c7e12e754c5f
    • Instruction ID: def027ac6d426e8afbeb2822d9c422653f49c6351a6fce82a394d4f495a088c9
    • Opcode Fuzzy Hash: da640b38635884a66c2f91250c66f1ab68bd74e669aea42ff809c7e12e754c5f
    • Instruction Fuzzy Hash: 6D1125B290024ACFDB10CF9AD545BEEFBF4EF88324F20845AD558A3640D778A584CFA5
    Function 04E41308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367
    Memory Dump Source
    • Source File: 00000000.00000002.2292105286.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 248677974ebfd2a79aecf36813b381385c0efe7522448df754f8722ad2c3ef6e
    • Instruction ID: b1af71ada65e0b41868c7ee1a31651d840df6d004959ac03bd23363fc2cdc068
    • Opcode Fuzzy Hash: 248677974ebfd2a79aecf36813b381385c0efe7522448df754f8722ad2c3ef6e
    • Instruction Fuzzy Hash: B41125B1800349CFDB10CF9AD545BEEFBF8AB88324F20841AD558A3640D778A544CBA5
    Function 00AE1433 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-119C5FEC,?,?,00ADF162,?,?,00000400,?,00000000,?,00000000), ref: 00AE149F
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: 779f12fd84f0e1db42ab0634778f2d61c11d416f553d80089e3c0b2dd18edc17
    • Instruction ID: 480e5363366e59fe8ad64f020277e0b53ab1413ee53d3a41395272faa46f65fe
    • Opcode Fuzzy Hash: 779f12fd84f0e1db42ab0634778f2d61c11d416f553d80089e3c0b2dd18edc17
    • Instruction Fuzzy Hash: 51F03C7210005AFBCF12AFA5CD05D8E3F76FF443A0F018522F60649261C732D5A1EBA0
    Function 00ADE416 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00ADDBCC,00ADDBCC), ref: 00ADE461
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 74e713fd5768db3bb905c4e621169dbc1b618d19080408fab2f806c90c63a77c
    • Instruction ID: 21fb123c3b096ab4d473505514c668709a310cd17da50caff6ea5708e62fb470
    • Opcode Fuzzy Hash: 74e713fd5768db3bb905c4e621169dbc1b618d19080408fab2f806c90c63a77c
    • Instruction Fuzzy Hash: CEE048B1240105BACF11BF74DE0AD9E3F66AF543A0750C123F9175C365DB32C562E6A1
    Function 00A96D08 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 95f7431f4a36876112358af83b2f9ad83b5f4be422745e8cb9e4830af46e9e69
    • Instruction ID: 84591a5de8532e7bb0e13d379314f48497650efbfb7b555ec34241b68cc57d36
    • Opcode Fuzzy Hash: 95f7431f4a36876112358af83b2f9ad83b5f4be422745e8cb9e4830af46e9e69
    • Instruction Fuzzy Hash: 49E039B284C709CFCB047F78DC8816DFBF4EB18720F16092DA9D583A00EA7015609B52
    Function 00A8D578 Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ebf5599c0d3476b045d58215cf9960b46d16d8b2c901997ebdaacba54c85c615
    • Instruction ID: a9e51538c210e9af20be3a9a653c232e1f4587d289243e9f93bbaf06c76563bc
    • Opcode Fuzzy Hash: ebf5599c0d3476b045d58215cf9960b46d16d8b2c901997ebdaacba54c85c615
    • Instruction Fuzzy Hash: E0B02B3E241630498340DA7000C02DD7EB2ED84101B5000769590C6012C411830D4640
    Function 00ADCCB1 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: aae88e1e0e311951bf7358b18a4a4b192eb103039c00c6c848f885fbb1fbb932
    • Instruction ID: f094170c39a4843aa5c0330ae2b0493a438e6bea8fbf8ca692cd672253c5e4df
    • Opcode Fuzzy Hash: aae88e1e0e311951bf7358b18a4a4b192eb103039c00c6c848f885fbb1fbb932
    • Instruction Fuzzy Hash: 4801E472A0010ABFCF11AFA4CC04EDEBF76FF59790F400162A506A8160E7729A62DF60
    Function 00ADF834 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • CloseHandle.KERNELBASE(00ADF1F7,-119C5FEC,?,?,00ADF1F7,?), ref: 00ADF872
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 4aa6a33f319ff7502626d5d244847305851a81d58782d6894d9ab5774feb3276
    • Instruction ID: 2ef6347de44bc907270983c315dff7d40f0800cdfdd6424f52bb926a1d8432eb
    • Opcode Fuzzy Hash: 4aa6a33f319ff7502626d5d244847305851a81d58782d6894d9ab5774feb3276
    • Instruction Fuzzy Hash: FFE04F72200106BECA10BBB8EE0AD8F3A29AF907A47404633F40789251DB24D192E6A1
    Function 0090E438 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0090E43A
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: e13b3170de80d3f4f06a02757767ff9af59f485adbdc9d7e0701446fb1519dea
    • Instruction ID: 4241c9d7bbad27b400ba13161aa8f05e722d937b7148f9b7ba680f5317932f93
    • Opcode Fuzzy Hash: e13b3170de80d3f4f06a02757767ff9af59f485adbdc9d7e0701446fb1519dea
    • Instruction Fuzzy Hash: 64E0C2F011C30D9FDB503F0AEC857BEBF98EB04704F11092CA78506A80EA360800C69A
    Function 0090E794 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0090F602
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 4c2f5c0aa6f0d78e79664546eb98e2cc9a7609783a01ac896a1681c2c01c5cb9
    • Instruction ID: ac8e1ad149da410a63e8a8245b4212505dd328af156e5ebe37cb77dfa6b8e7a7
    • Opcode Fuzzy Hash: 4c2f5c0aa6f0d78e79664546eb98e2cc9a7609783a01ac896a1681c2c01c5cb9
    • Instruction Fuzzy Hash: 19E0E27460C69ACFDB402F6894081BE76A0FF05315F244D68ECA38AAC0E6265C64DA5A
    Function 00ADE8F9 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00ADC97F,?,?), ref: 00ADE8FF
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: c53d6c59043bf0cd15ec786a3f2f45b19a9e619220bed77845ebbc3781cd1588
    • Instruction ID: 7cbb2f591bab3d1620c653a86a43fa60c311e084764b1dc858b0be5864f317ed
    • Opcode Fuzzy Hash: c53d6c59043bf0cd15ec786a3f2f45b19a9e619220bed77845ebbc3781cd1588
    • Instruction Fuzzy Hash: B9B09231000109BBCB01BF55EC0688DBF6ABF557D9B408121FD0A5D572CB72E960ABE0

    Non-executed Functions

    Function 00AE0C2D Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
    • GetSystemTime.KERNEL32(?,-119C5FEC), ref: 00AE0C62
    • GetFileTime.KERNEL32(?,?,?,?,-119C5FEC), ref: 00AE0CA5
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: fc241a213d8e9587dddad3b02d844752eb30038241e90f05818174fa4ea87624
    • Instruction ID: afb9af8f75e9c9d8226de8783fd55b433c74a54f0b0fa9d3bd416fa616c1c61d
    • Opcode Fuzzy Hash: fc241a213d8e9587dddad3b02d844752eb30038241e90f05818174fa4ea87624
    • Instruction Fuzzy Hash: B3011A3210418AFBCB215F6ADD0DDCE3B35EFC4361B504626F80645120C772D5A1EAA0
    Function 00A86116 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID:
    • String ID: !g=m$a }}
    • API String ID: 0-4022380162
    • Opcode ID: 26556f28f52f10b74c309cc0ce1434f5963356e8718d5df9e48b4f5fbac58e6f
    • Instruction ID: 8ce1b9a16c87aab101f156556f80bf07d83ff8daf526a975f30337ae2edd7d05
    • Opcode Fuzzy Hash: 26556f28f52f10b74c309cc0ce1434f5963356e8718d5df9e48b4f5fbac58e6f
    • Instruction Fuzzy Hash: 28716CF39186109BE714BF29DC8176ABBE4EF58720F0A492DEAD483340E6355854CBDB
    Function 00AE1AEB Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00AE1B32
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 1d686148c8b7e1454222ca3a68846111aa876b41e1a8b48b290af0597f39065d
    • Instruction ID: 5cc9311421663aee0e9be1b3516caa8ce7c5e20675570e3801077e2bd6f8f2e9
    • Opcode Fuzzy Hash: 1d686148c8b7e1454222ca3a68846111aa876b41e1a8b48b290af0597f39065d
    • Instruction Fuzzy Hash: D1F01C3260014EFFCF01CF95C95498D7BB2FF14344B108125F90696610D3B59670EF80
    Function 0090D140 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: 228b513a095685e7076eaa27ed808298f479fc8794159869f5a4bee2d40ea746
    • Instruction ID: 8bd23210c11a6c6c52a700a69fd2ce2e8db4acc049ec3df576288902df64c7f8
    • Opcode Fuzzy Hash: 228b513a095685e7076eaa27ed808298f479fc8794159869f5a4bee2d40ea746
    • Instruction Fuzzy Hash: 3661067250921F8FDB058FA4C5401EF7BA5FF92320F24892AD84287EC2D7B64D61DB59
    Function 00915539 Relevance: .3, Instructions: 335COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bcdd4341b11d8c60d053bac80e37a86d2bd31b0c47fd0295262e133cef029d07
    • Instruction ID: c7f9d21ab1e8f3e620dc0954ce07c3d4b6ae1d85d1e899a677031bdfdbd27881
    • Opcode Fuzzy Hash: bcdd4341b11d8c60d053bac80e37a86d2bd31b0c47fd0295262e133cef029d07
    • Instruction Fuzzy Hash: EFB1E5B3F162654BF3454E24CC643617B63DBD2310F2F81BA8A889B7D6D93E5D0A9384
    Function 009159F1 Relevance: .3, Instructions: 328COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4f336aff95e3e38b2910784a5a3fda4d22d22a5f2d0125947854583d6f83456d
    • Instruction ID: 119dd9cebbbacb6afc2092a9ab1d9fc8f8ab96130b314b66618988e30ceaee04
    • Opcode Fuzzy Hash: 4f336aff95e3e38b2910784a5a3fda4d22d22a5f2d0125947854583d6f83456d
    • Instruction Fuzzy Hash: 4CB19BF7F512254BF3544979CD983A126839BD5320F2F42388B5CABBC6D8BE9D0A5384
    Function 00AE0163 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00ADCAE0: GetCurrentThreadId.KERNEL32 ref: 00ADCAEF
      • Part of subcall function 00ADCAE0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00ADCB32
      • Part of subcall function 00AE11E1: IsBadWritePtr.KERNEL32(?,00000004), ref: 00AE11EF
    • wsprintfA.USER32 ref: 00AE01A9
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00AE026D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: a93f57ba478fe7fa3a82fc2443701605ec8c71b3ca1ec6a30dfff2f8f64a4392
    • Instruction ID: d8ca269db572f41378695135a18707cd2f8a61f2e320a67549449a6faf7f13be
    • Opcode Fuzzy Hash: a93f57ba478fe7fa3a82fc2443701605ec8c71b3ca1ec6a30dfff2f8f64a4392
    • Instruction Fuzzy Hash: E731187190014ABFCF11DFA5DD49EEEBB75FF84710F108125FA11A61A0C7719A61DB90
    Function 00AE0D34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00D5125C,00004020,00000000,-119C5FEC), ref: 00AE0E21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2289845535.0000000000AD9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
    • Associated: 00000000.00000002.2289046426.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289061817.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289093997.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289126679.000000000090A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289149474.0000000000916000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289290202.0000000000A74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289311227.0000000000A76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289331881.0000000000A92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289379863.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289402652.0000000000A97000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289418345.0000000000A99000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289440172.0000000000A9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289458371.0000000000AA7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289478706.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289503853.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289523860.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289541700.0000000000AC3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289619509.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289670117.0000000000ACC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289765155.0000000000AD7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289822186.0000000000AD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289879689.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289894599.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289909432.0000000000AE5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289932881.0000000000AE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289951799.0000000000AF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289974554.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2289990092.0000000000AFA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290006724.0000000000B02000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290023779.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290042029.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290058747.0000000000B19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290072905.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290088659.0000000000B1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290105195.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290125143.0000000000B30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290139232.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290155460.0000000000B3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290173880.0000000000B3C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290190114.0000000000B49000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290204389.0000000000B4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290239381.0000000000B9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290274904.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2290296305.0000000000BAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_900000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: e66d7fe16d553516c7eaf64fc2ae09445161f53101cfec4de9045e03af1a6ad1
    • Instruction ID: 640baccb98fb8c2e059441fd9ccc2a0a281f488dd5cf7b71d1e4ae460e35e4ba
    • Opcode Fuzzy Hash: e66d7fe16d553516c7eaf64fc2ae09445161f53101cfec4de9045e03af1a6ad1
    • Instruction Fuzzy Hash: CD316DB1504749EFDF25CF55C884B8ABBB0FF08350F00852AE95667250C3B0AAA5DF90