Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565434
MD5:d9a99fabad112a481f4edd491d42cc31
SHA1:703ed125b6ca6ede62afe5b4052e529ddbfcf65b
SHA256:f23764edfad2e0c8ddadbe725308855f9a5c5bbdc31e9c31398c85b817869456
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to execute programs as a different user
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D9A99FABAD112A481F4EDD491D42CC31)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2121713624.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A833460_2_00A83346
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089586E0_2_0089586E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00895CDB0_2_00895CDB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17FA50_2_00A17FA5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17F930_2_00A17F93
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3AFE80_2_00A3AFE8
Source: file.exe, 00000000.00000002.2257802168.00000000011CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2870784 > 1048576
Source: file.exeStatic PE information: Raw size of wyqduyzg is bigger than: 0x100000 < 0x2b6e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2121713624.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.880000.0.unpack :EW;.rsrc:W;.idata :W;wyqduyzg:EW;czyuacgp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2c4f9b should be: 0x2c3ac6
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: wyqduyzg
Source: file.exeStatic PE information: section name: czyuacgp
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A26000 push 59353B21h; mov dword ptr [esp], ecx0_2_00A293A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A105 push 2BEAF880h; mov dword ptr [esp], ebx0_2_00A3A144
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A105 push ebx; mov dword ptr [esp], ecx0_2_00A3A23D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2639D push eax; mov dword ptr [esp], 0B2692E0h0_2_00A2757B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2639D push 36F95159h; mov dword ptr [esp], ebx0_2_00A2797B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17B26 push 1DF4375Eh; mov dword ptr [esp], ecx0_2_00A17B3E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17B26 push edx; mov dword ptr [esp], 76D311E4h0_2_00A17B82
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17B26 push 5D6E9F38h; mov dword ptr [esp], esi0_2_00A17C40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3BB56 push esi; mov dword ptr [esp], 3FFE03E9h0_2_00A3BBA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3BB56 push ebp; mov dword ptr [esp], ebx0_2_00A3BC33
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17C54 push 4C751B44h; mov dword ptr [esp], edi0_2_00A17C87
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17C54 push ecx; mov dword ptr [esp], 7FFBDBCBh0_2_00A17CC3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A0B1 push 0BF326ABh; mov dword ptr [esp], edx0_2_00A3A0D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00892090 push 2D9DC203h; mov dword ptr [esp], edi0_2_00892097
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1C0BC push ebp; ret 0_2_00A1C0CB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF109B push edx; mov dword ptr [esp], 4DC1B0C6h0_2_00AF10D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF109B push 1FD221FAh; mov dword ptr [esp], esp0_2_00AF10E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3C09E push edi; mov dword ptr [esp], 67FB77BEh0_2_00A3C158
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A190E8 push 375B0F1Dh; mov dword ptr [esp], edx0_2_00A190ED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A280F0 push eax; mov dword ptr [esp], edi0_2_00A280F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A260FA push 18FB29ECh; mov dword ptr [esp], edi0_2_00A2902B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB80F3 push eax; mov dword ptr [esp], ecx0_2_00AB8113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008910E5 push 5E6431ECh; mov dword ptr [esp], esi0_2_00891300
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008910E5 push edi; mov dword ptr [esp], 2D537A32h0_2_00892AE4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008910FB push 0A16FA5Ah; mov dword ptr [esp], ecx0_2_008954D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A180D9 push edi; mov dword ptr [esp], 75C45971h0_2_00A180EC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A180D9 push eax; mov dword ptr [esp], 627B3392h0_2_00A1815F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A180D9 push ecx; mov dword ptr [esp], 260F8BF0h0_2_00A181CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A26026 push 5614271Bh; mov dword ptr [esp], ebx0_2_00A2602B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1C024 push edi; ret 0_2_00A1C033
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00893000 push eax; mov dword ptr [esp], ecx0_2_008955B9
Source: file.exeStatic PE information: section name: entropy: 7.778036052010301

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DC3E second address: 88DC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DC42 second address: 88DC48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DC48 second address: 88DC4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A179B0 second address: A179B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17DF3 second address: A17DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17DF9 second address: A17E1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F00A51AE126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F00A51AE131h 0x00000011 jp 00007F00A51AE126h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1821E second address: A1822C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F00A51A1D16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1822C second address: A18230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18230 second address: A1823E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F00A51A1D1Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BBE8 second address: A1BBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F00A51AE12Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BBFC second address: A1BC01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC01 second address: A1BC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F00A51AE136h 0x00000014 jl 00007F00A51AE126h 0x0000001a popad 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F00A51AE12Bh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC42 second address: A1BC5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC5A second address: A1BC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jno 00007F00A51AE126h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BD37 second address: A1BD48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BD48 second address: A1BD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BD4E second address: A1BDCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F00A51A1D20h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov cx, 768Bh 0x00000012 push 00000003h 0x00000014 mov dword ptr [ebp+122D1D05h], eax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F00A51A1D18h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 jmp 00007F00A51A1D1Ch 0x0000003b push 00000003h 0x0000003d call 00007F00A51A1D29h 0x00000042 movsx edx, bx 0x00000045 pop edx 0x00000046 push 87829BF9h 0x0000004b push edx 0x0000004c pushad 0x0000004d je 00007F00A51A1D16h 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BDCD second address: A1BE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 47829BF9h 0x0000000d pushad 0x0000000e push esi 0x0000000f mov ch, bh 0x00000011 pop eax 0x00000012 movzx edi, bx 0x00000015 popad 0x00000016 lea ebx, dword ptr [ebp+12461B29h] 0x0000001c jmp 00007F00A51AE134h 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BE03 second address: A1BE1A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F00A51A1D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F00A51A1D1Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BF79 second address: A1BF80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BF80 second address: A1BFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 47CB7EB8h 0x0000000e cld 0x0000000f jmp 00007F00A51A1D27h 0x00000014 lea ebx, dword ptr [ebp+12461B32h] 0x0000001a pushad 0x0000001b mov cl, 50h 0x0000001d mov ebx, 4436EF5Ch 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BFBC second address: A1BFD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D724 second address: A2D72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D72A second address: A2D72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A062BC second address: A062C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39FC1 second address: A39FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A6E0 second address: A3A6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A864 second address: A3A874 instructions: 0x00000000 rdtsc 0x00000002 js 00007F00A51AE12Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A9B3 second address: A3A9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A9B7 second address: A3A9C5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F00A51AE126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AB49 second address: A3AB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AB50 second address: A3AB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F00A51AE126h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jmp 00007F00A51AE12Ch 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c popad 0x0000001d jo 00007F00A51AE126h 0x00000023 jmp 00007F00A51AE133h 0x00000028 popad 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AB93 second address: A3ABB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F00A51A1D1Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F00A51A1D20h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ABB6 second address: A3ABBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE6B second address: A3AE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B167 second address: A3B172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F00A51AE126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30E6B second address: A30E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30E71 second address: A30E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B9E1 second address: A3B9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F00A51A1D26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3B9FF second address: A3BA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE12Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BA16 second address: A3BA1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BB75 second address: A3BB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE130h 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F00A51AE12Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BCF9 second address: A3BD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51A1D22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C097 second address: A3C0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C0A9 second address: A3C0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E491 second address: A3E4B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F00A51AE12Fh 0x0000000d jc 00007F00A51AE12Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A401B3 second address: A401B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46CFB second address: A46D01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46D01 second address: A46D06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46D06 second address: A46D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46E6F second address: A46E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push edi 0x00000007 jl 00007F00A51A1D31h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F00A51A1D29h 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F00A51A1D16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A471C6 second address: A471E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE12Ch 0x00000009 jnp 00007F00A51AE126h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F00A51AE126h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A471E5 second address: A471E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A471E9 second address: A471F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F00A51AE126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A471F5 second address: A471FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A471FB second address: A471FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47499 second address: A4749D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02CD3 second address: A02D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F00A51AE134h 0x00000010 jmp 00007F00A51AE138h 0x00000015 popad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007F00A51AE12Fh 0x0000001e jnc 00007F00A51AE126h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02D24 second address: A02D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D1Ah 0x00000007 je 00007F00A51A1D2Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4AC6A second address: A4AC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F00A51AE132h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4AC86 second address: A4AC8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4AFBB second address: A4AFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4B8C2 second address: A4B8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4B8C6 second address: A4B8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BB02 second address: A4BB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BB07 second address: A4BB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007F00A51AE137h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F00A51AE126h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4BB31 second address: A4BB35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CB48 second address: A4CB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F00A51AE136h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E7A3 second address: A4E7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E7A9 second address: A4E7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E7AD second address: A4E7B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5075F second address: A50763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50763 second address: A507B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D2B84h], esi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F00A51A1D18h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D2D7Ah] 0x00000032 push ebx 0x00000033 mov dword ptr [ebp+122D2D3Ch], eax 0x00000039 pop esi 0x0000003a push 00000000h 0x0000003c mov di, 3A0Bh 0x00000040 xchg eax, ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jno 00007F00A51A1D18h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A507B6 second address: A507D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F00A51AE126h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 js 00007F00A51AE126h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A507D0 second address: A507D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53D41 second address: A53D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F00A51AE128h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53D56 second address: A53D64 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F00A51A1D1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55267 second address: A5528D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F00A51AE12Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51AD1 second address: A51AF4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F00A51A1D2Ah 0x00000008 jmp 00007F00A51A1D24h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A59654 second address: A59659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54432 second address: A54436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55446 second address: A55468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F00A51AE12Eh 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A59659 second address: A5965F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55468 second address: A5546C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A575C6 second address: A575CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56621 second address: A56627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A575CC second address: A575D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5883A second address: A588D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F00A51AE132h 0x00000012 jo 00007F00A51AE129h 0x00000018 and bh, FFFFFFE8h 0x0000001b pop edi 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F00A51AE128h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov ebx, dword ptr [ebp+122D2FDDh] 0x0000004a mov eax, dword ptr [ebp+122D11A1h] 0x00000050 sub edi, 342CD9F4h 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push eax 0x0000005b call 00007F00A51AE128h 0x00000060 pop eax 0x00000061 mov dword ptr [esp+04h], eax 0x00000065 add dword ptr [esp+04h], 00000019h 0x0000006d inc eax 0x0000006e push eax 0x0000006f ret 0x00000070 pop eax 0x00000071 ret 0x00000072 jmp 00007F00A51AE12Dh 0x00000077 nop 0x00000078 pushad 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A575D0 second address: A575DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A588D8 second address: A58908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE12Bh 0x00000009 popad 0x0000000a jmp 00007F00A51AE134h 0x0000000f popad 0x00000010 push eax 0x00000011 jc 00007F00A51AE134h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BECF second address: A5BED9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F00A51A1D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A575DE second address: A575E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D075 second address: A5D07F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F00A51A1D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5DE2E second address: A5DE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE133h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F00A51AE133h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BFA6 second address: A5BFC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5DE5D second address: A5DE67 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F00A51AE12Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EE42 second address: A5EE46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EE46 second address: A5EE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5FF51 second address: A5FF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60E45 second address: A60EF5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F00A51AE126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F00A51AE134h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F00A51AE128h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d call 00007F00A51AE12Ch 0x00000032 mov edi, 5F53E379h 0x00000037 pop ebx 0x00000038 push 00000000h 0x0000003a stc 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F00A51AE128h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 sub ebx, dword ptr [ebp+122D3B42h] 0x0000005d xchg eax, esi 0x0000005e push ecx 0x0000005f jmp 00007F00A51AE12Ah 0x00000064 pop ecx 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 jmp 00007F00A51AE138h 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60EF5 second address: A60EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60EFA second address: A60F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F00A51AE126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60F04 second address: A60F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E113 second address: A5E11D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F00A51AE126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61F3E second address: A61F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62F76 second address: A62F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62F7A second address: A62F9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F00A51A1D21h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jo 00007F00A51A1D1Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6213B second address: A6213F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6213F second address: A62145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63242 second address: A63259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6416D second address: A64171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64171 second address: A6420E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F00A51AE128h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b pushad 0x0000002c mov eax, dword ptr [ebp+122D3B42h] 0x00000032 mov dword ptr [ebp+122D3586h], esi 0x00000038 popad 0x00000039 push dword ptr fs:[00000000h] 0x00000040 jbe 00007F00A51AE13Bh 0x00000046 call 00007F00A51AE12Eh 0x0000004b mov ebx, dword ptr [ebp+122D3005h] 0x00000051 pop edi 0x00000052 mov edi, dword ptr [ebp+1248A44Bh] 0x00000058 mov dword ptr fs:[00000000h], esp 0x0000005f sub dword ptr [ebp+122D1D7Bh], esi 0x00000065 mov eax, dword ptr [ebp+122D05F9h] 0x0000006b push FFFFFFFFh 0x0000006d sbb edi, 78D1F6BFh 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 ja 00007F00A51AE128h 0x0000007c push edx 0x0000007d pop edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6CF96 second address: A6CFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F00A51A1D28h 0x0000000f jno 00007F00A51A1D16h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CA37 second address: A7CA48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F00A51AE138h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CA48 second address: A7CA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CA4C second address: A7CA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CA50 second address: A7CA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82354 second address: A82387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F00A51AE13Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F00A51AE12Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82387 second address: A823A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F00A51A1D23h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A824F3 second address: A824FD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F00A51AE126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A824FD second address: A82503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82836 second address: A8285B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F00A51AE139h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8285B second address: A82865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F00A51A1D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82865 second address: A82869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82B1A second address: A82B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51A1D1Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82B2F second address: A82B4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F00A51AE12Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82B4A second address: A82B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82B4E second address: A82B69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE135h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82B69 second address: A82B76 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F00A51A1D16h 0x00000009 pop edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84620 second address: A84659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F00A51AE137h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jne 00007F00A51AE126h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52859 second address: A5285E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5285E second address: A52864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52864 second address: A52868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52868 second address: A5286C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A528E2 second address: A528FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F00A51A1D1Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A528FF second address: A52925 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F00A51AE126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F00A51AE130h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F00A51AE126h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52A73 second address: A52A9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c mov edi, dword ptr [ebp+122D3A9Eh] 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F00A51A1D1Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52C6C second address: A52C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52DA5 second address: A52DAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52DAB second address: A52E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F00A51AE128h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov dword ptr [ebp+1246119Ch], edx 0x0000002e mov dx, ax 0x00000031 push 00000004h 0x00000033 add dword ptr [ebp+1245E522h], ebx 0x00000039 nop 0x0000003a jng 00007F00A51AE12Ah 0x00000040 push eax 0x00000041 pushad 0x00000042 popad 0x00000043 pop eax 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52E05 second address: A52E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52E0A second address: A52E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53221 second address: A53254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51A1D22h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push edx 0x0000000f push esi 0x00000010 stc 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 sub di, 3B71h 0x00000018 push 0000001Eh 0x0000001a cld 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F00A51A1D16h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53254 second address: A5325A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A881C6 second address: A881CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88363 second address: A8837B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jo 00007F00A51AE126h 0x0000000e jbe 00007F00A51AE126h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8860A second address: A8861B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F00A51A1D1Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8861B second address: A88620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88620 second address: A88650 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F00A51A1D22h 0x00000008 pushad 0x00000009 jmp 00007F00A51A1D27h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A887D5 second address: A887DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F0C4 second address: A8F0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F0CA second address: A8F0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94E01 second address: A94E21 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F00A51A1D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F00A51A1D1Eh 0x00000010 jc 00007F00A51A1D1Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93BC6 second address: A93BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE133h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94029 second address: A9402D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9402D second address: A9405A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F00A51AE126h 0x0000000d pop eax 0x0000000e jmp 00007F00A51AE139h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9405A second address: A9405E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941AB second address: A941B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941B0 second address: A941BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F00A51A1D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941BA second address: A941D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941D0 second address: A941D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941D4 second address: A941D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941D8 second address: A941F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F00A51A1D21h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A941F3 second address: A94207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A944E0 second address: A944E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A944E6 second address: A94513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F00A51AE126h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F00A51AE137h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 js 00007F00A51AE12Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9469E second address: A946A8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F00A51A1D22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A946A8 second address: A946AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9482D second address: A94831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94831 second address: A94837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94837 second address: A94874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F00A51A1D1Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F00A51A1D26h 0x00000017 jmp 00007F00A51A1D25h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A93515 second address: A93532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F00A51AE133h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9989A second address: A998A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99A2F second address: A99A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99A38 second address: A99A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F00A51A1D16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jmp 00007F00A51A1D1Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F00A51A1D23h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99A69 second address: A99A6F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99CBB second address: A99CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99CC1 second address: A99CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99CCB second address: A99CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99E48 second address: A99E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A75B second address: A9A760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F934 second address: A9F972 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jns 00007F00A51AE126h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F00A51AE12Ch 0x00000016 jmp 00007F00A51AE12Ah 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F00A51AE12Ch 0x00000025 jnl 00007F00A51AE126h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F972 second address: A9F97A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F97A second address: A9F986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F00A51AE126h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F986 second address: A9F98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA26C3 second address: AA26C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA26C7 second address: AA26DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F00A51A1D20h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2862 second address: AA288A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51AE12Fh 0x00000009 jmp 00007F00A51AE135h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA29C2 second address: AA29C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA213 second address: AAA220 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA220 second address: AAA23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F00A51A1D1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007F00A51A1D16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA23E second address: AAA264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F00A51AE126h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8B06 second address: AA8B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8B0A second address: AA8B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90D3 second address: AA90DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA90DF second address: AA9121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F00A51AE13Dh 0x0000000e jmp 00007F00A51AE135h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F00A51AE137h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9121 second address: AA9125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52FE1 second address: A52FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA93CE second address: AA93DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F00A51A1D16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD36E second address: AAD385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51AE131h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD385 second address: AAD39E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F00A51A1D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F00A51A1D1Bh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD39E second address: AAD3A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACB40 second address: AACB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007F00A51A1D18h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F00A51A1D1Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACCA0 second address: AACCD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE134h 0x00000007 jmp 00007F00A51AE12Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F00A51AE12Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACCD2 second address: AACCD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACCD8 second address: AACCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB14A2 second address: AB14AF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F00A51A1D18h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB14AF second address: AB14D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F00A51AE126h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F00A51AE12Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB077B second address: AB0791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51A1D20h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0791 second address: AB07AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F00A51AE12Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F00A51AE126h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB07AC second address: AB07BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F00A51A1D1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0920 second address: AB0962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F00A51AE132h 0x00000012 jnp 00007F00A51AE132h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0962 second address: AB097C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F00A51A1D1Ch 0x0000000d jg 00007F00A51A1D16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0AFB second address: AB0B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51AE12Eh 0x00000009 jo 00007F00A51AE126h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB0DD5 second address: AB0E03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007F00A51A1D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F00A51A1D4Eh 0x00000012 jmp 00007F00A51A1D29h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7C1A second address: AB7C24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7C24 second address: AB7C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7C28 second address: AB7C34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F00A51AE126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7EE8 second address: AB7EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7EEE second address: AB7F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F00A51AE12Ah 0x0000000d pop edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB817E second address: AB81AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F00A51A1D23h 0x0000000c pushad 0x0000000d jns 00007F00A51A1D1Ch 0x00000013 pushad 0x00000014 jng 00007F00A51A1D16h 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB81AF second address: AB81B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB81B8 second address: AB81BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB84A9 second address: AB84B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F00A51AE126h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8775 second address: AB8779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8779 second address: AB877D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB877D second address: AB8791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F00A51A1D16h 0x0000000e ja 00007F00A51A1D16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8791 second address: AB8795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8795 second address: AB879D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8A64 second address: AB8A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE133h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9352 second address: AB9385 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F00A51A1D1Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b jmp 00007F00A51A1D25h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F00A51A1D18h 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB230 second address: ABB236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFC48 second address: ABFC50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFC50 second address: ABFC60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51AE12Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFC60 second address: ABFC9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jc 00007F00A51A1D16h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F00A51A1D1Fh 0x0000001b pop esi 0x0000001c je 00007F00A51A1D1Ch 0x00000022 jl 00007F00A51A1D16h 0x00000028 push eax 0x00000029 push edx 0x0000002a push esi 0x0000002b pop esi 0x0000002c jl 00007F00A51A1D16h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3D0C second address: AC3D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3D10 second address: AC3D16 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3D16 second address: AC3D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC2F56 second address: AC2F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F00A51A1D1Ch 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jo 00007F00A51A1D16h 0x00000013 jp 00007F00A51A1D16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC3749 second address: AC374E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC38E3 second address: AC3906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F00A51A1D29h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD218 second address: ACD23D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F00A51AE135h 0x00000008 jg 00007F00A51AE126h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB407 second address: ACB40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB40D second address: ACB411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACBF52 second address: ACBF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F00A51A1D16h 0x0000000a pop edi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC778 second address: ACC7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE12Eh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F00A51AE137h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC7A8 second address: ACC7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC7AC second address: ACC7B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD080 second address: ACD08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 ja 00007F00A51A1D16h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAFB4 second address: ACAFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F00A51AE126h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAFBF second address: ACAFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAFC4 second address: ACAFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F00A51AE126h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAFD5 second address: ACAFF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D1Ch 0x00000007 je 00007F00A51A1D16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jl 00007F00A51A1D16h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAFF3 second address: ACB00E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE136h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2F12 second address: AD2F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2F18 second address: AD2F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F00A51AE126h 0x0000000f jnc 00007F00A51AE126h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2A66 second address: AD2A70 instructions: 0x00000000 rdtsc 0x00000002 je 00007F00A51A1D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2A70 second address: AD2A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F00A51AE135h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2A8B second address: AD2A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2A9A second address: AD2A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2A9E second address: AD2AB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D24h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD903D second address: AD9061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F00A51AE136h 0x0000000d popad 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9061 second address: AD906F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE03E8 second address: AE03EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE03EC second address: AE03F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE03F2 second address: AE0401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F00A51AE126h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0401 second address: AE0413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F00A51A1D28h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0413 second address: AE0419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2A61 second address: AE2A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2A67 second address: AE2A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE133h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5D62 second address: AE5D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5D68 second address: AE5D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE131h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A79 second address: AE5A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F00A51A1D16h 0x0000000a popad 0x0000000b jmp 00007F00A51A1D28h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5A9C second address: AE5AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF1B second address: AEBF39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51A1D28h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF39 second address: AEBF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF3D second address: AEBF53 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F00A51A1D16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF53 second address: AEBF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF57 second address: AEBF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBF5D second address: AEBF62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAA15 second address: AEAA76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D29h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F00A51A1D26h 0x00000011 jmp 00007F00A51A1D23h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a push ecx 0x0000001b jmp 00007F00A51A1D1Dh 0x00000020 pop ecx 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A097AC second address: A097B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A097B0 second address: A097E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D25h 0x00000007 jmp 00007F00A51A1D21h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jng 00007F00A51A1D16h 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF50DA second address: AF50FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F00A51AE139h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF50FC second address: AF5100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5100 second address: AF5111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5111 second address: AF5117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5117 second address: AF5120 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF85D5 second address: AF85DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF85DB second address: AF85DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF85DF second address: AF85E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF85E4 second address: AF85EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA871 second address: AFA877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA877 second address: AFA881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA881 second address: AFA886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA886 second address: AFA8AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE12Dh 0x00000007 jns 00007F00A51AE128h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F00A51AE12Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFBDAC second address: AFBDB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B030E8 second address: B030F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B030F1 second address: B030F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01A91 second address: B01A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F00A51AE12Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01A9F second address: B01AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01C21 second address: B01C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01C27 second address: B01C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F00A51A1D1Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01C39 second address: B01C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01C3F second address: B01C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F00A51A1D1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01D70 second address: B01D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F00A51AE130h 0x0000000e jmp 00007F00A51AE12Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01D93 second address: B01D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01D99 second address: B01D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06BFC second address: B06C1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51A1D29h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F00A51A1D16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06C1F second address: B06C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0ADD1 second address: B0ADE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51A1D23h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0ADE8 second address: B0ADEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21BDE second address: B21BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21BE4 second address: B21C02 instructions: 0x00000000 rdtsc 0x00000002 je 00007F00A51AE136h 0x00000008 jmp 00007F00A51AE12Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21758 second address: B21771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jo 00007F00A51A1D16h 0x0000000e jnl 00007F00A51A1D16h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21771 second address: B21775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21775 second address: B21795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F00A51A1D25h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21795 second address: B217AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F00A51AE131h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF811 second address: 9FF81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 js 00007F00A51A1D16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF81F second address: 9FF83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F00A51AE135h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29800 second address: B29811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F00A51A1D1Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29975 second address: B2999F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F00A51AE132h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F00A51AE12Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29B4A second address: B29B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29B50 second address: B29B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F00A51AE126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29B5A second address: B29B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33F90 second address: B33F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33F96 second address: B33F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B360B7 second address: B360C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B360C4 second address: B360C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B360C8 second address: B360DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jbe 00007F00A51AE144h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37C2B second address: B37C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E71A second address: B2E71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E71E second address: B2E723 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E5BD second address: B2E5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E5C3 second address: B2E5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F00A51A1D16h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E5D1 second address: B2E5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2E5D7 second address: B2E5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D704 second address: A4D709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D709 second address: A4D72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F00A51A1D2Bh 0x00000010 jmp 00007F00A51A1D25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D8E2 second address: A4D8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D8E6 second address: A4D8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F00A51A1D16h 0x0000000e rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 88DC7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 88DBA6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 88B276 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AD4415 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8949E4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4FA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5300000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A105 rdtsc 0_2_00A3A105
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A78B90 GetSystemInfo,VirtualAlloc,0_2_00A78B90
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A105 rdtsc 0_2_00A3A105
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088B7C6 LdrInitializeThunk,0_2_0088B7C6
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2967E LogonUserA,0_2_00A2967E
Source: file.exe, 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		2
Command and Scripting Interpreter		1
Valid Accounts		1
Valid Accounts		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Access Token Manipulation		1
Valid Accounts		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		1
Access Token Manipulation		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		41
Disable or Modify Tools		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Process Injection		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Software Packing		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
Bypass User Account Control		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1565434
Start date and time:2024-11-29 21:07:04 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.445410984469778
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'870'784 bytes
MD5:d9a99fabad112a481f4edd491d42cc31
SHA1:703ed125b6ca6ede62afe5b4052e529ddbfcf65b
SHA256:f23764edfad2e0c8ddadbe725308855f9a5c5bbdc31e9c31398c85b817869456
SHA512:045e320003ff7412a6d8bfa6c070ee2082d18a6cc342aecf65250730e7f2e616c7610f3522e50bd35b7f268399cf2dd37f3e78471ce7e827452539bcffe9b2fd
SSDEEP:49152:+KljZy2xBhxzanblNYZN06RKMkShx7ya:Jl82xBhx22VRKM377
TLSH:7DD539A2B50876CFD49F267A8527DD82685E53FA471108C3E87E74B9BE73CC011B5E28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@,.. ...`....@.. ........................,......O,...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6c4000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F00A44F78CAh
shrd dword ptr [ebx], ebp, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F00A44F98C5h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200e11952e7b3120d4eca5194b5f0f626bcFalse0.9318576388888888data7.778036052010301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wyqduyzg0xa0000x2b80000x2b6e0049d47b8e6edbc4d6bc910e120e7ed7d0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
czyuacgp0x2c20000x20000x400514a633d12e0064b2037aa94b0908fc5False0.732421875data5.752167689903062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2c40000x40000x22002a43c122871a97098e68fa465775ec4aFalse0.0625DOS executable (COM)0.7590858766700397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:15:07:59
Start date:29/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x880000
File size:2'870'784 bytes
MD5 hash:D9A99FABAD112A481F4EDD491D42CC31
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.3%
    Dynamic/Decrypted Code Coverage:15.8%
    Signature Coverage:29.8%
    Total number of Nodes:57
    Total number of Limit Nodes:2
    execution_graph 7502 88e88a 7503 88f17a VirtualAlloc 7502->7503 7504 a26000 7505 a272a1 LoadLibraryA 7504->7505 7507 a3a105 Sleep 7508 a3a115 7507->7508 7509 a17b26 LoadLibraryA 7510 a17b38 7509->7510 7513 88f624 7514 88f618 7513->7514 7515 88f683 VirtualAlloc 7513->7515 7514->7513 7514->7515 7516 88f695 7515->7516 7517 88b7c6 7518 88b7cb 7517->7518 7519 88b936 LdrInitializeThunk 7518->7519 7520 4fe1510 7521 4fe1514 ControlService 7520->7521 7523 4fe158f 7521->7523 7524 a1be4f CreateFileA 7525 a1be66 7524->7525 7526 a3bb56 CloseHandle 7527 a3bb60 7526->7527 7530 4fe0d48 7532 4fe0d4c OpenSCManagerW 7530->7532 7533 4fe0ddc 7532->7533 7534 4fe1308 7535 4fe1349 ImpersonateLoggedOnUser 7534->7535 7536 4fe1376 7535->7536 7537 a78b90 GetSystemInfo 7538 a78bb0 7537->7538 7539 a78bee VirtualAlloc 7537->7539 7538->7539 7550 a78edc 7539->7550 7541 a78c35 7542 a78edc VirtualAlloc 7541->7542 7544 a78cce 7541->7544 7543 a78c5f 7542->7543 7543->7544 7545 a78edc VirtualAlloc 7543->7545 7546 a78c89 7545->7546 7546->7544 7547 a78edc VirtualAlloc 7546->7547 7548 a78cb3 7547->7548 7548->7544 7549 a78edc VirtualAlloc 7548->7549 7549->7544 7552 a78ee4 7550->7552 7553 a78ef8 7552->7553 7556 a78f33 7553->7556 7557 a78f44 VirtualAlloc 7556->7557 7558 a78f2f 7556->7558 7557->7558 7559 a1c11a 7560 a1c120 CreateFileA 7559->7560 7561 a1c130 7560->7561 7562 a2639d 7563 a263e6 7562->7563 7564 a263f5 RegOpenKeyA 7563->7564 7565 a2641c RegOpenKeyA 7563->7565 7564->7565 7566 a26412 7564->7566 7567 a26439 7565->7567 7566->7565 7568 a2647d GetNativeSystemInfo 7567->7568 7569 a26488 7567->7569 7568->7569 7569->7569

    Executed Functions

    Function 00A78B90 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 27 a78b90-a78baa GetSystemInfo 28 a78bb0-a78be8 27->28 29 a78bee-a78c37 VirtualAlloc call a78edc 27->29 28->29 33 a78d1d-a78d22 call a78d26 29->33 34 a78c3d-a78c61 call a78edc 29->34 41 a78d24-a78d25 33->41 34->33 40 a78c67-a78c8b call a78edc 34->40 40->33 44 a78c91-a78cb5 call a78edc 40->44 44->33 47 a78cbb-a78cc8 44->47 48 a78cee-a78d05 call a78edc 47->48 49 a78cce-a78ce9 47->49 52 a78d0a-a78d0c 48->52 53 a78d18 49->53 52->33 54 a78d12 52->54 53->41 54->53
    APIs
    • GetSystemInfo.KERNELBASE(?,-11A45FEC), ref: 00A78B9C
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00A78BFD
    Memory Dump Source
    • Source File: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 2f794520c06cd98d05201ea40f892ae5f12961fa01c31b20aa6655b0bd309956
    • Instruction ID: 483211633460bfc0ddc0946d6dde8beb5ed2c6e0ffb36e6c31d8d7ab760018ee
    • Opcode Fuzzy Hash: 2f794520c06cd98d05201ea40f892ae5f12961fa01c31b20aa6655b0bd309956
    • Instruction Fuzzy Hash: 764110B1F40206AFE375DF60CD49F96B7ACBF88740F508162A607DA583EB7495D48BA0
    Function 00A3A105 Relevance: 1.4, APIs: 1, Instructions: 106sleepCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: 8e199dfd03eea74af6073ef4ab858f3ca759d857499c7adf33c9dc848f8607bb
    • Instruction ID: 979a8f9156877b17ecb7ec968343a24c65b8c02bb53b719ec8a627868c864d17
    • Opcode Fuzzy Hash: 8e199dfd03eea74af6073ef4ab858f3ca759d857499c7adf33c9dc848f8607bb
    • Instruction Fuzzy Hash: 8E3147B640C300AFE705BF69E881A7AFBF4FF58320F164D2DE6C582610E63559548B97
    Function 0088B7C6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 3790331298028f4ce44494ad0b0a9ae2ad66c9c6d6c6c77d19cf16fd8d0c9ede
    • Instruction ID: c4e6cd45e8ae7d706af1ab9091d16e3a83b2c391d9ceb5f4b52d3f6575773dc2
    • Opcode Fuzzy Hash: 3790331298028f4ce44494ad0b0a9ae2ad66c9c6d6c6c77d19cf16fd8d0c9ede
    • Instruction Fuzzy Hash: 0BE0C23110888D9ADB16FFA88D0179A7B1DFBC5740FA02124FA01DAE59DB3D5D118797
    Function 00A2639D Relevance: 4.6, APIs: 3, Instructions: 94registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 a2639d-a263f3 2 a263f5-a26410 RegOpenKeyA 0->2 3 a2641c-a26437 RegOpenKeyA 0->3 2->3 4 a26412 2->4 5 a26439-a26443 3->5 6 a2644f-a2647b 3->6 4->3 5->6 9 a26488-a26492 6->9 10 a2647d-a26486 GetNativeSystemInfo 6->10 11 a26494 9->11 12 a2649e-a264ac 9->12 10->9 11->12 14 a264b8-a264bf 12->14 15 a264ae 12->15 16 a264d2 14->16 17 a264c5-a264cc 14->17 15->14 18 a27567-a2756e 16->18 17->16 17->18 19 a27970-a288b8 18->19 20 a27574-a27867 18->20 24 a288ba 19->24 20->19 24->24
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00A26408
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00A2642F
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00A26486
    Memory Dump Source
    • Source File: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 1d4d1a509dfdfdc218bc0d952825b367bf200784efe497fcdb74ef7d195b0873
    • Instruction ID: 497d6aa56ed9c278333b6961424939f5ed19c75f5e77f099d0e4a63a98c0aa23
    • Opcode Fuzzy Hash: 1d4d1a509dfdfdc218bc0d952825b367bf200784efe497fcdb74ef7d195b0873
    • Instruction Fuzzy Hash: 494159B100811E9FEF10EF14D949BEF7BB9EF04300F01052AE98586950D7765CA4DF6A
    Function 00A17B26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 25 a17b26-a17b28 LoadLibraryA 26 a17b38-a17c4e 25->26
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 0S#
    • API String ID: 1029625771-2031704785
    • Opcode ID: 659c70fff1689d4e38637d3d9bfbb23f20a22ca0da7a3669a20ba24b73abc033
    • Instruction ID: 7e47f6f7efbc6d60472d09cd93d05368862b1e399d9706f505304e2b4bb14ab2
    • Opcode Fuzzy Hash: 659c70fff1689d4e38637d3d9bfbb23f20a22ca0da7a3669a20ba24b73abc033
    • Instruction Fuzzy Hash: 5D3126F251C600AFE705AF58D881B7ABBE9FB98310F16492DE2C4C3750D27558508B97
    Function 00A17C54 Relevance: 1.6, APIs: 1, Instructions: 126libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 73 a17c54-a17c57 LoadLibraryA 74 a17c65-a17c78 73->74 75 a17c5d-a17c64 73->75 77 a17c80-a17dce 74->77 78 a17c7e-a17c7f 74->78 75->74 80 a17dcf 77->80 78->77 80->80
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 0ac67f158bb5298c05531e0b57854c9262455416b6a1e0c51ccea504a1aff3cc
    • Instruction ID: ed821119460857caf853c918c11eee70bbcad5032f5c3929dba63c64b84b8a0c
    • Opcode Fuzzy Hash: 0ac67f158bb5298c05531e0b57854c9262455416b6a1e0c51ccea504a1aff3cc
    • Instruction Fuzzy Hash: 25416AF614C300AFE705AF29E8816BEFBE5FF88320F56492DE2C5C2610E6758480CA57
    Function 00A1C0CC Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 81 a1c0cc-a1c0d3 82 a1c120-a1c12a CreateFileA 81->82 83 a1c0d5-a1c0f0 81->83 84 a1c130-a1c13a 82->84 85 a1c14d-a1c161 call a1c164 82->85 86 a1c106-a1c107 83->86 87 a1c0f6 83->87 89 a1c140 84->89 90 a1c142 84->90 94 a1c2b5-a1c2e1 85->94 91 a1c10f-a1c12a 86->91 92 a1c10a call a1c11a 86->92 87->86 89->90 90->94 91->84 91->85 92->91 96 a1c2e3-a1c2ea 94->96 97 a1c2ec-a1c300 94->97 96->97 98 a1c301-a1c309 call a1c30c 96->98 97->98
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a94a824cf1d5c7e50f69845246592f1cfa8e2344d006c2622d8d63c7596b87a8
    • Instruction ID: 91c402fba00b481cbb57867344fc116d97782f86787320bbb751c95602e907b3
    • Opcode Fuzzy Hash: a94a824cf1d5c7e50f69845246592f1cfa8e2344d006c2622d8d63c7596b87a8
    • Instruction Fuzzy Hash: 4011E27268931AAFDB15EF78C8507EE7B79EB05720F10056AE541CB542D3394C94CB1D
    Function 04FE0D41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 102 4fe0d41-4fe0d97 105 4fe0d9f-4fe0da3 102->105 106 4fe0d99-4fe0d9c 102->106 107 4fe0dab-4fe0dda OpenSCManagerW 105->107 108 4fe0da5-4fe0da8 105->108 106->105 109 4fe0ddc-4fe0de2 107->109 110 4fe0de3-4fe0df7 107->110 108->107 109->110
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04FE0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: afd7c0d2348521a76ca02e222c78eedc016c9345ed8633651fda13b2e9c55930
    • Instruction ID: 8aee0e134aa0fcb76d07d35da5c15c5822285f750f4355be76186971521c0589
    • Opcode Fuzzy Hash: afd7c0d2348521a76ca02e222c78eedc016c9345ed8633651fda13b2e9c55930
    • Instruction Fuzzy Hash: B62104B6D012189FCB50DF99D884AEEBBF0EB88310F14856AD908AB244DB74A545CBA4
    Function 04FE0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 4fe0d48-4fe0d97 115 4fe0d9f-4fe0da3 112->115 116 4fe0d99-4fe0d9c 112->116 117 4fe0dab-4fe0dda OpenSCManagerW 115->117 118 4fe0da5-4fe0da8 115->118 116->115 119 4fe0ddc-4fe0de2 117->119 120 4fe0de3-4fe0df7 117->120 118->117 119->120
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04FE0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 430bc7e1bcef28d1c81d4690032c3aa4b81b6ca661294c0dbf118c04122c1baa
    • Instruction ID: fa8dd5878e1ee397a9cfc031f6bebf792f75c33fce82749668e30d92d8ded41a
    • Opcode Fuzzy Hash: 430bc7e1bcef28d1c81d4690032c3aa4b81b6ca661294c0dbf118c04122c1baa
    • Instruction Fuzzy Hash: 7D2115B6C012189FCB50CF9AD884BDEFBF4EF88710F14815AD908AB204DB74A545CBA5
    Function 04FE1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 122 4fe1510-4fe158d ControlService 125 4fe158f-4fe1595 122->125 126 4fe1596-4fe15b7 122->126 125->126
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04FE1580
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 1e09f42bc89a452c986cd0b69a87e80afdeedbbf6dae969c1ac4bb973e654f16
    • Instruction ID: e525404ff6db099ac9f1f7a5ab4e9dff2b97cc81d5f28a70e5d4fcafe74e1a0f
    • Opcode Fuzzy Hash: 1e09f42bc89a452c986cd0b69a87e80afdeedbbf6dae969c1ac4bb973e654f16
    • Instruction Fuzzy Hash: 7D11E4B1D003499FDB10CF9AC584BEEFBF4EB48320F10842AE559A3250D378A644CFA5
    Function 04FE1509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 128 4fe1509-4fe1550 130 4fe1558-4fe158d ControlService 128->130 131 4fe158f-4fe1595 130->131 132 4fe1596-4fe15b7 130->132 131->132
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04FE1580
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 7fdf6fc12660e4d69ddb3d1becea38a42b13400c90d50c08e338856c95e6a86c
    • Instruction ID: 04350c4c98c8a65a7be2e04353a745791237ba1b5028b2fa5312687ebc586111
    • Opcode Fuzzy Hash: 7fdf6fc12660e4d69ddb3d1becea38a42b13400c90d50c08e338856c95e6a86c
    • Instruction Fuzzy Hash: 0611E4B1D00249CFDB10CF9AD584BEEFBF4EB58324F10842AE559A7250D378A645CFA5
    Function 00A1BE4F Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 134 a1be4f-a1be60 CreateFileA 135 a1be72-a1be73 134->135 136 a1be66 134->136 137 a1be79-a1be92 135->137 138 a1c14d-a1c2e1 call a1c164 135->138 136->135 142 a1be98 137->142 143 a1be9e-a1beae 137->143 149 a1c2e3-a1c2ea 138->149 150 a1c2ec-a1c300 138->150 142->143 145 a1beb4 143->145 146 a1bec6-a1bef8 call a1befb 143->146 145->146 149->150 152 a1c301-a1c309 call a1c30c 149->152 150->152
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 2453b2451a5fe6d744c8889210af8fb2bf8377d1b153301520fdbb4bd9d673d3
    • Instruction ID: 8c64ebea86653ca5f43ac0d6ab26b3de26b4112270ca2f80db03221de95355b7
    • Opcode Fuzzy Hash: 2453b2451a5fe6d744c8889210af8fb2bf8377d1b153301520fdbb4bd9d673d3
    • Instruction Fuzzy Hash: 0EF046A11AD364BDD625A6304D56FFFBA658B52B60F20511AF3C28A8C2C38008C09279
    Function 04FE1301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 158 4fe1301-4fe1341 159 4fe1349-4fe1374 ImpersonateLoggedOnUser 158->159 160 4fe137d-4fe139e 159->160 161 4fe1376-4fe137c 159->161 161->160
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04FE1367
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: cd1abc100b7cad9209e48191da1aadaf44857a81d2aee64fb6aa7155f8622dde
    • Instruction ID: 0c213286e9c109fa5753acbb3f9f47a02cd0fcff73839f7fc5501e50f1e1b48a
    • Opcode Fuzzy Hash: cd1abc100b7cad9209e48191da1aadaf44857a81d2aee64fb6aa7155f8622dde
    • Instruction Fuzzy Hash: D71125B1800249CFDB10DF9AD585BEEBBF4EF49320F14846AD558A3640D778A545CFA1
    Function 04FE1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 4fe1308-4fe1374 ImpersonateLoggedOnUser 165 4fe137d-4fe139e 163->165 166 4fe1376-4fe137c 163->166 166->165
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04FE1367
    Memory Dump Source
    • Source File: 00000000.00000002.2259249049.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4fe0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 330a968043be98f64c4c1932335c160f2abd49cc209926fd4401cc16fda91912
    • Instruction ID: 5f058717b3d2af24fe44cecb8504a72ab24565b40c8ea460fe7af4b1ac49e6c5
    • Opcode Fuzzy Hash: 330a968043be98f64c4c1932335c160f2abd49cc209926fd4401cc16fda91912
    • Instruction Fuzzy Hash: CD1145B1800249CFDB10CF9AC549BEEFBF8EF48320F20846AD558A3640C778A944CFA5
    Function 00A1C11A Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 168 a1c11a-a1c12a CreateFileA 170 a1c130-a1c13a 168->170 171 a1c14d-a1c161 call a1c164 168->171 173 a1c140 170->173 174 a1c142 170->174 176 a1c2b5-a1c2e1 171->176 173->174 174->176 178 a1c2e3-a1c2ea 176->178 179 a1c2ec-a1c300 176->179 178->179 180 a1c301-a1c309 call a1c30c 178->180 179->180
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e106b898c5daf4f4b1e6e8238f657315636bfea2a034797a35e9eec83b547dcb
    • Instruction ID: 8fb69ea49986ad3d9ac08bdbe0626dc0fcd073f6b14cf9c55187eb4ad5ef8008
    • Opcode Fuzzy Hash: e106b898c5daf4f4b1e6e8238f657315636bfea2a034797a35e9eec83b547dcb
    • Instruction Fuzzy Hash: FBF0827668422E9FDF54AF58D8543FE37A1EB19730F140526E804DBA41D73A5CE48B0D
    Function 00A26000 Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: ceb4300212b213b7fcfd3292a86cb62267f2fd1efc52138722db7c3210f1e6d2
    • Instruction ID: af8d8f05ac02d139967489eb53190b55f9f648053f72c788cae625990c810d09
    • Opcode Fuzzy Hash: ceb4300212b213b7fcfd3292a86cb62267f2fd1efc52138722db7c3210f1e6d2
    • Instruction Fuzzy Hash: A7E0CAB900C620DFE7067F69A8808BEBBF0FF88721F22682CE4C245114D3720891EB53
    Function 00A1C009 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e61edc54a14163786837e21d02006a670fad00f45ad000018415e0d17a6226b7
    • Instruction ID: fb8203d9b596163f56ff9ce1884734e34a6d8fcb2e07c8830632c6889db9c779
    • Opcode Fuzzy Hash: e61edc54a14163786837e21d02006a670fad00f45ad000018415e0d17a6226b7
    • Instruction Fuzzy Hash: 7ED05E62AC53BA79DB11BB748D92BEE7A28CB55624F008259E74452492D2A41C418619
    Function 00A3BB56 Relevance: 1.4, APIs: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 6fadb4029745bd0f28205ac1d6fe88e2feb7ba3487e80c291d57818affa8b08e
    • Instruction ID: e251f367044a56acaa69a95b61d07a95d31422ec9e72eff12e98c4e70aaad501
    • Opcode Fuzzy Hash: 6fadb4029745bd0f28205ac1d6fe88e2feb7ba3487e80c291d57818affa8b08e
    • Instruction Fuzzy Hash: 084136B251C300AFE715AF19E88167EF7E9EF54320F16492DE2C582610EB3158908B9B
    Function 0088F603 Relevance: 1.3, APIs: 1, Instructions: 40memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0088F683
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 4a084f15169be1fccc95098ac1838da552bd734ecc30ad22ab6d9153d8a203f0
    • Instruction ID: 56ee6c45c336f6a23ffb9126641b829ccdbb9c55b70c3dc510385c1d6e3dde59
    • Opcode Fuzzy Hash: 4a084f15169be1fccc95098ac1838da552bd734ecc30ad22ab6d9153d8a203f0
    • Instruction Fuzzy Hash: 30018B7144C6198FD745BFB8984126EBBE0FF08710F110A2EE6D6C7291DA305800DB8A
    Function 00A78F33 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00A78F2F,?,?,00A78C35,?,?,00A78C35,?,?,00A78C35), ref: 00A78F53
    Memory Dump Source
    • Source File: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 87afbaf5a12cb555b888b73d12f34f62b82b0bd747383b7235fd9d85e70041fb
    • Instruction ID: fe10e80ca458a0187b3a7e3e0b532ed6c9e679b413cd25429dd07b0c72018d80
    • Opcode Fuzzy Hash: 87afbaf5a12cb555b888b73d12f34f62b82b0bd747383b7235fd9d85e70041fb
    • Instruction Fuzzy Hash: 99F0D1B1A00206EFD7308F04CD09B9ABBA5FF89371F10C429F44A9B151D7B598D09B50
    Function 0088F5CA Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0088F683
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: b1d766485f3256fc747ba15899be3c9dfe5c0b6486420bb915e4e77a5aff2674
    • Instruction ID: ce477ee666c967124c40a6bdee045eeb706ba4489f182754ec4a57acffa1c9c0
    • Opcode Fuzzy Hash: b1d766485f3256fc747ba15899be3c9dfe5c0b6486420bb915e4e77a5aff2674
    • Instruction Fuzzy Hash: 97F034B054C7198FD744BF68D8453AEB7E0FF08711F014A2DEA96C3280EA305C40CB8A
    Function 0088E88A Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0088F17F
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a79e112646bf63962022770cae6fab81f946a5ec39bbfd0956e2ccb9f201343d
    • Instruction ID: 4bf86225d9ef931f2f486e80860c6332eadb35c668dd4127d0145d114fbda447
    • Opcode Fuzzy Hash: a79e112646bf63962022770cae6fab81f946a5ec39bbfd0956e2ccb9f201343d
    • Instruction Fuzzy Hash: 40D067F550CA189FE7417F28D84A3BEBAE4EF00305F150439EA85CA654E6718854CB8B
    Function 0088F624 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0088F683
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 77b4d011be0d898a41dcdf5c9ca6f317cd72c5b389012434b38a903e5546c281
    • Instruction ID: cd4a082602f843364932c3a63d514f95c82947c2ee264c04746918d508ad3968
    • Opcode Fuzzy Hash: 77b4d011be0d898a41dcdf5c9ca6f317cd72c5b389012434b38a903e5546c281
    • Instruction Fuzzy Hash: E8D0173992954F8B8B507FB894081DD37A0FA29335B340B68E922D2795EA228D60DB19

    Non-executed Functions

    Function 0089586E Relevance: .4, Instructions: 445COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a6711160683818ebe7c3e83e5f14f3755c18514cf8390d2cc1c15b30e1fee3aa
    • Instruction ID: ae01bc46db7dce56cb27de2cbe98cb0a814dfbf673c2904a6421a8bb11f8a849
    • Opcode Fuzzy Hash: a6711160683818ebe7c3e83e5f14f3755c18514cf8390d2cc1c15b30e1fee3aa
    • Instruction Fuzzy Hash: 87E1C2B3F152514FF3454A39CC643613A939BD6314F2F82BACA899B7D6D83E5C0A8384
    Function 00A17F93 Relevance: .2, Instructions: 206COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c6ba78bf8ec9609c21634e770ad23fca9812c0bae46ce3ffaef20bb6e7bbece
    • Instruction ID: 4dbe11adb8d149ae47f86802425b589a6838e104b6ff2426c927755e9325de5d
    • Opcode Fuzzy Hash: 7c6ba78bf8ec9609c21634e770ad23fca9812c0bae46ce3ffaef20bb6e7bbece
    • Instruction Fuzzy Hash: B36117B250C600AFE305AF19E8856BEFBF5FF98720F16482DE6C583610D73588908B97
    Function 00A17FA5 Relevance: .2, Instructions: 196COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aed03af0ed7355e5abb84947e021f85c0e1fb2f22a9efc5c22af294afd562888
    • Instruction ID: 7ce66254491df5e98ab80241317d2eb7d1393c311102c892ea82918d25b7c512
    • Opcode Fuzzy Hash: aed03af0ed7355e5abb84947e021f85c0e1fb2f22a9efc5c22af294afd562888
    • Instruction Fuzzy Hash: 6C6116B250C700EFE705AF19E8856BEFBE5EF98710F16482DE6C583610D73588908B9B
    Function 00A83346 Relevance: .2, Instructions: 158COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ec77faa85663aa9383f92a8d4218d2ae5c45ec433e238f545a6e7fdc2e51ca7b
    • Instruction ID: be241774ae5e6a2dc9c8eedb3f522097d0b3483f68944864e47c82174c1f698c
    • Opcode Fuzzy Hash: ec77faa85663aa9383f92a8d4218d2ae5c45ec433e238f545a6e7fdc2e51ca7b
    • Instruction Fuzzy Hash: 91518D7350D604EFD7057E19D8456BAF7F5FF90B10F26892EE2C286610EA705A40AB87
    Function 00A3AFE8 Relevance: .1, Instructions: 147COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 82f2f39b8b07a14d54a064bab2d5d06c915f7e09b43bd2ea8e763713eb5e9d3a
    • Instruction ID: 43205bedfc6f0c36e77896a0b0d96c483d29f9c29f524a797d5e3179415871d1
    • Opcode Fuzzy Hash: 82f2f39b8b07a14d54a064bab2d5d06c915f7e09b43bd2ea8e763713eb5e9d3a
    • Instruction Fuzzy Hash: 9641AFB250C210AFE719AF18DC81BAAF7E5FF98310F15492DE6C4C3350E63598508A97
    Function 00895CDB Relevance: .1, Instructions: 125COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d8893edfa1808e5713e1c8efbd57bc29dce07341dab649e56239570ec121ff13
    • Instruction ID: 2b2c5f4c474df683950debe81be87936e696520c3f0ec3560f202bac5d3a28e5
    • Opcode Fuzzy Hash: d8893edfa1808e5713e1c8efbd57bc29dce07341dab649e56239570ec121ff13
    • Instruction Fuzzy Hash: 4041ABB3F515250BF7488839CD593A66583EBE5314F2F82788B8D977C9DC7E980A5280
    Function 00A2967E Relevance: .0, Instructions: 19COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2256939282.0000000000A26000.00000080.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
    • Associated: 00000000.00000002.2256738576.0000000000880000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256754731.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256767997.0000000000886000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256780504.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256794231.0000000000896000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256884190.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256896948.00000000009FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256913222.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256951388.0000000000A2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256963998.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256976036.0000000000A3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2256991457.0000000000A53000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257003574.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257015526.0000000000A5B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257028512.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257042158.0000000000A75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257055450.0000000000A78000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257068003.0000000000A79000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257079529.0000000000A7B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257091803.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257102884.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257115567.0000000000A86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257129303.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257143030.0000000000A93000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257154927.0000000000A95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257168395.0000000000A96000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257181834.0000000000AA0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257193689.0000000000AA1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257205592.0000000000AA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257223008.0000000000AAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257234099.0000000000AAD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257244870.0000000000AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257256800.0000000000AB2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257269451.0000000000AB9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257279717.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257291301.0000000000ABB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257302295.0000000000AC0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257312153.0000000000AC1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257328555.0000000000AC4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257441360.0000000000ACD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257456994.0000000000ACF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257472333.0000000000AE1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257497053.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B2B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257528334.0000000000B33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257567225.0000000000B42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2257584111.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_880000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ce493448a20c84c0e8ce3fa1ed1f034fcbb66d645db55ccee2f56f05c756e673
    • Instruction ID: 7ba731d9747aaf638d91d3536504c8fbc4bcca1722f8dd010e99d3f8ae327f00
    • Opcode Fuzzy Hash: ce493448a20c84c0e8ce3fa1ed1f034fcbb66d645db55ccee2f56f05c756e673
    • Instruction Fuzzy Hash: AEE046B0A4810DCBEB604F18EC083EF36A0EF08304F180439E849C1A40E33B8D68CA4A