Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565535
MD5:dbe102896da778132a021cda8f323df0
SHA1:f7903a9d367df15fa3cc30b3025ec432df23169b
SHA256:0199fbd0e92c15d3300bea2d557e553da953ea8bd7554be3f495861b8b88ffc9
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DBE102896DA778132A021CDA8F323DF0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 55%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E5B40 CryptVerifySignatureA,0_2_003E5B40
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1380890395.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003830000_2_00383000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003830C50_2_003830C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003906380_2_00390638
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039061C0_2_0039061C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003906020_2_00390602
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003917B40_2_003917B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00215A800_2_00215A80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00385C220_2_00385C22
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420E5B0_2_00420E5B
Source: C:\Users\user\Desktop\file.exeCode function: String function: 003E0B35 appears 35 times
Source: file.exe, 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1516497052.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 55%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeS
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2808832 > 1048576
Source: file.exeStatic PE information: Raw size of ozevqrls is bigger than: 0x100000 < 0x2a7a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1380890395.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.200000.0.unpack :EW;.rsrc:W;.idata :W;ozevqrls:EW;hgyzpdrw:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2bb9bb should be: 0x2b987d
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ozevqrls
Source: file.exeStatic PE information: section name: hgyzpdrw
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00386695 push edi; mov dword ptr [esp], 7FFFC1E9h0_2_003866A7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00386695 push ebx; mov dword ptr [esp], edi0_2_003866DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00386695 push edi; mov dword ptr [esp], 6F976C7Eh0_2_00386713
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00386695 push edi; mov dword ptr [esp], edx0_2_0038678C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003867C8 push ebp; mov dword ptr [esp], 77FF3112h0_2_003867F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003867C8 push 1F5B90D1h; mov dword ptr [esp], edi0_2_00386824
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003867C8 push ebx; mov dword ptr [esp], ecx0_2_00386892
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020E874 push 04BDDE30h; mov dword ptr [esp], ecx0_2_0020F425
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212021 push 11598431h; mov dword ptr [esp], eax0_2_00212026
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212021 push edx; mov dword ptr [esp], eax0_2_00212032
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038702F push ebp; mov dword ptr [esp], esi0_2_0038704E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00396016 push ebp; mov dword ptr [esp], edx0_2_00396037
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push ebx; mov dword ptr [esp], eax0_2_00383076
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push ecx; mov dword ptr [esp], edx0_2_003830C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push 7A3C3B23h; mov dword ptr [esp], eax0_2_003830FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push 32AAB904h; mov dword ptr [esp], ebx0_2_0038316E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push 57C5C253h; mov dword ptr [esp], esi0_2_003831B9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push ebx; mov dword ptr [esp], edi0_2_003831DA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push 23366DB2h; mov dword ptr [esp], ebx0_2_0038332B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push edi; mov dword ptr [esp], ebp0_2_00383343
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push ecx; mov dword ptr [esp], edx0_2_00383398
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00383000 push 024A5680h; mov dword ptr [esp], ecx0_2_003833A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021101D push esi; mov dword ptr [esp], esp0_2_00211030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212060 push ebx; mov dword ptr [esp], edx0_2_0021207E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212060 push ecx; mov dword ptr [esp], 7EF7F1D2h0_2_00212424
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039405F push ebp; mov dword ptr [esp], edx0_2_00396037
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AA051 push 3233B15Dh; mov dword ptr [esp], edx0_2_003AA059
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00390055 push edx; mov dword ptr [esp], ebp0_2_00390061
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00390055 push edi; mov dword ptr [esp], eax0_2_003901B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394049 push 0E1322BFh; mov dword ptr [esp], eax0_2_00394051
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049E0CA push esi; mov dword ptr [esp], ecx0_2_0049E162
Source: file.exeStatic PE information: section name: entropy: 7.799219711472262

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DD36 second address: 20DD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3864F8 second address: 386502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD364B52506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386502 second address: 386536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FD36451CFB1h 0x0000000f jmp 00007FD36451CF97h 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FD36451CF86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38697C second address: 386982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386DA9 second address: 386DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386DAD second address: 386DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386DB3 second address: 386DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 386DBF second address: 386DC4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B3A second address: 389B40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B40 second address: 389B95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD364B52511h 0x0000000f pop edx 0x00000010 nop 0x00000011 mov edx, dword ptr [ebp+122D3789h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FD364B52508h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 push F5ACD69Dh 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b jl 00007FD364B52506h 0x00000041 pop edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B95 second address: 389C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD36451CF92h 0x00000008 jmp 00007FD36451CF8Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 0A5329E3h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FD36451CF88h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push 00000003h 0x00000033 sub dword ptr [ebp+122D36AAh], edi 0x00000039 push 00000000h 0x0000003b push 00000003h 0x0000003d push esi 0x0000003e sub dword ptr [ebp+122D370Eh], ecx 0x00000044 pop edx 0x00000045 push 57303A90h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FD36451CF90h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389C0D second address: 389C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389C13 second address: 389C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389CC8 second address: 389CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389E6A second address: 389E82 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD36451CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007FD36451CF86h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389F98 second address: 38A033 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FD364B52513h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jnc 00007FD364B52510h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007FD364B52518h 0x00000025 pop eax 0x00000026 stc 0x00000027 push 00000003h 0x00000029 mov edx, dword ptr [ebp+122D3A58h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FD364B52508h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D3739h], ecx 0x00000051 mov ecx, 29CDF98Ah 0x00000056 push 00000003h 0x00000058 xor dword ptr [ebp+122D1E10h], ecx 0x0000005e call 00007FD364B52509h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A033 second address: 38A037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A037 second address: 38A04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A04B second address: 38A079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FD36451CF99h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FD36451CF86h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9AAB second address: 3A9AB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9AB2 second address: 3A9ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9ABA second address: 3A9ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD364B52506h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9ACC second address: 3A9AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AA231 second address: 3AA249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B52512h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AACDF second address: 3AACF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD36451CF8Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AE7C6 second address: 3AE805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B5250Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD364B52517h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD364B52512h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0069 second address: 3B006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B01C4 second address: 3B01D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jbe 00007FD364B5251Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 380274 second address: 38028C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD36451CF86h 0x00000008 jmp 00007FD36451CF8Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38028C second address: 380291 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B676F second address: 3B6773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6773 second address: 3B677E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6C00 second address: 3B6C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6C04 second address: 3B6C1E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD364B52506h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD364B5250Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6C1E second address: 3B6C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6C24 second address: 3B6C2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9E10 second address: 3B9E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9E16 second address: 3B9E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BACD2 second address: 3BACF0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD36451CF92h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BACF0 second address: 3BACFA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BADE6 second address: 3BADEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BADEA second address: 3BAE0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD364B52518h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BB26A second address: 3BB282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FD36451CF86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BB8C6 second address: 3BB8CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BED89 second address: 3BEDA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF873 second address: 3BF88D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B52512h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0E28 second address: 3C0E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0BC5 second address: 3C0BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD364B52506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0E35 second address: 3C0E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD36451CF98h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3A0C second address: 3C3A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6FE0 second address: 3C6FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C61E2 second address: 3C61E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6FE4 second address: 3C6FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C61E8 second address: 3C61ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6FE8 second address: 3C7004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD36451CF94h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C61ED second address: 3C61F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C7004 second address: 3C701A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FD36451CF8Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C701A second address: 3C7024 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD364B5250Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C62D1 second address: 3C62DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C70D7 second address: 3C70EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jg 00007FD364B52506h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C70EA second address: 3C70FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD36451CF8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C8181 second address: 3C8187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB31E second address: 3CB34D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FD36451CF86h 0x00000009 jmp 00007FD36451CF98h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD36451CF8Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB34D second address: 3CB351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB351 second address: 3CB35B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD36451CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37CB8F second address: 37CB96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE519 second address: 3CE5B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D1C8Ah], esi 0x00000018 pushad 0x00000019 jmp 00007FD36451CF91h 0x0000001e call 00007FD36451CF97h 0x00000023 sub dword ptr [ebp+122D370Eh], esi 0x00000029 pop ecx 0x0000002a popad 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D1D57h], ebx 0x00000033 push 00000000h 0x00000035 xor di, 7D00h 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c jmp 00007FD36451CF97h 0x00000041 jp 00007FD36451CF88h 0x00000047 push edi 0x00000048 pop edi 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushad 0x0000004f popad 0x00000050 jmp 00007FD36451CF8Eh 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE5B3 second address: 3CE5C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD364B52512h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D06E6 second address: 3D076C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FD36451CF88h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b sbb bh, FFFFFF8Fh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FD36451CF88h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a movzx edi, dx 0x0000004d xchg eax, esi 0x0000004e push edx 0x0000004f jmp 00007FD36451CF91h 0x00000054 pop edx 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jg 00007FD36451CF86h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D179D second address: 3D17BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD364B52517h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D17BB second address: 3D17CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 je 00007FD36451CF8Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D2778 second address: 3D277C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF712 second address: 3CF716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D08FC second address: 3D0900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF716 second address: 3CF71A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE7D7 second address: 3CE7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF71A second address: 3CF72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD36451CF8Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D48A8 second address: 3D48AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D09D6 second address: 3D09E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD36451CF86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF7E4 second address: 3CF7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5983 second address: 3D598C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D4A46 second address: 3D4A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FD364B52506h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D598C second address: 3D5990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5B18 second address: 3D5B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5B1C second address: 3D5B3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FD36451CF8Fh 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5B3A second address: 3D5B79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 stc 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push edi 0x00000011 add ebx, dword ptr [ebp+122D3C04h] 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+122D1D2Eh], eax 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 and ebx, dword ptr [ebp+122D380Fh] 0x0000002b mov eax, dword ptr [ebp+122D1645h] 0x00000031 mov ebx, dword ptr [ebp+1245B319h] 0x00000037 push FFFFFFFFh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB71 second address: 3BEB75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA11E second address: 3DA127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA127 second address: 3DA144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA144 second address: 3DA18B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B52514h 0x00000007 pushad 0x00000008 jmp 00007FD364B52519h 0x0000000d jmp 00007FD364B52515h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377B44 second address: 377B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE901 second address: 3DE905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE905 second address: 3DE92E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF8Ch 0x00000007 jmp 00007FD36451CF99h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE92E second address: 3DE963 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD364B52508h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007FD364B52518h 0x00000013 jmp 00007FD364B52512h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD364B5250Ch 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE963 second address: 3DE97F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FD36451CF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD36451CF8Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE97F second address: 3DE987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE244 second address: 3DE254 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD36451CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE3A3 second address: 3DE3A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE3A9 second address: 3DE3B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE3B2 second address: 3DE3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE3B8 second address: 3DE3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE063 second address: 3EE07A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FD364B52506h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE07A second address: 3EE07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EE07E second address: 3EE090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FD364B52506h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F47B6 second address: 3F47D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FD36451CF95h 0x0000000b jns 00007FD36451CF86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F47D9 second address: 3F47EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push edx 0x00000009 pushad 0x0000000a ja 00007FD364B52506h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F47EF second address: 3F47FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FD36451CF8Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4EBE second address: 3F4EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4EC2 second address: 3F4EDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jng 00007FD36451CF86h 0x00000010 pop esi 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4EDD second address: 3F4EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4EE3 second address: 3F4EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007FD36451CF92h 0x0000000d jc 00007FD36451CF86h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F578C second address: 3F5796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5796 second address: 3F57A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD36451CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F87E2 second address: 3F87E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F87E6 second address: 3F87F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD36451CF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBF93 second address: 3FBF9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7A36 second address: 3B7A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7A3C second address: 3A1970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B52513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FD364B52513h 0x00000013 call dword ptr [ebp+122D36FEh] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7DF9 second address: 20DD36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FD36451CF92h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push dword ptr [ebp+122D163Dh] 0x00000016 mov cx, si 0x00000019 call dword ptr [ebp+122D1CA8h] 0x0000001f pushad 0x00000020 add dword ptr [ebp+122D1CCAh], ebx 0x00000026 xor eax, eax 0x00000028 pushad 0x00000029 xor edi, dword ptr [ebp+122D3BC4h] 0x0000002f mov di, bx 0x00000032 popad 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 mov dword ptr [ebp+122D1CCAh], ecx 0x0000003d mov dword ptr [ebp+122D3B74h], eax 0x00000043 stc 0x00000044 mov esi, 0000003Ch 0x00000049 cmc 0x0000004a add esi, dword ptr [esp+24h] 0x0000004e mov dword ptr [ebp+122D1C32h], edx 0x00000054 lodsw 0x00000056 cmc 0x00000057 pushad 0x00000058 jmp 00007FD36451CF99h 0x0000005d or dword ptr [ebp+122D1CCAh], edx 0x00000063 popad 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jg 00007FD36451CF98h 0x0000006e pushad 0x0000006f mov dword ptr [ebp+122D1CCAh], ebx 0x00000075 mov eax, dword ptr [ebp+122D3B1Ch] 0x0000007b popad 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 cmc 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push ebx 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7F6D second address: 3B7F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7F73 second address: 3B7FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FD36451CF96h 0x0000000b pop ebx 0x0000000c popad 0x0000000d add dword ptr [esp], 22F5B18Bh 0x00000014 mov edi, dword ptr [ebp+122D3AD0h] 0x0000001a push ACE898D2h 0x0000001f push eax 0x00000020 push edx 0x00000021 ja 00007FD36451CF88h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B80AB second address: 3B80B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8107 second address: 3B8112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8A5C second address: 3B8A8F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e jns 00007FD364B52506h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jmp 00007FD364B52513h 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8B5B second address: 3B8BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FD36451CF90h 0x0000000d lea eax, dword ptr [ebp+1247D847h] 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FD36451CF88h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1CCAh], edx 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jmp 00007FD36451CF8Ah 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8BAF second address: 3A2474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD364B52506h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FD364B52508h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov di, D2E0h 0x0000002f mov ecx, dword ptr [ebp+122D3AF0h] 0x00000035 lea eax, dword ptr [ebp+1247D803h] 0x0000003b mov ecx, dword ptr [ebp+122D39A4h] 0x00000041 push eax 0x00000042 push edi 0x00000043 jmp 00007FD364B5250Eh 0x00000048 pop edi 0x00000049 mov dword ptr [esp], eax 0x0000004c mov edi, dword ptr [ebp+122D1C63h] 0x00000052 call dword ptr [ebp+122D371Ch] 0x00000058 jmp 00007FD364B52513h 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FD364B5250Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC4D0 second address: 3FC510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FD36451CF86h 0x0000000c popad 0x0000000d jmp 00007FD36451CF99h 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD36451CF96h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC64E second address: 3FC652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC652 second address: 3FC656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC656 second address: 3FC69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD364B5250Bh 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD364B52513h 0x00000013 jmp 00007FD364B52519h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC69B second address: 3FC6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF98h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FC6B7 second address: 3FC6D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FD364B5250Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FCAEA second address: 3FCB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF99h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD36451CF8Fh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FCB20 second address: 3FCB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FCB24 second address: 3FCB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4074D3 second address: 407510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD364B5250Ah 0x0000000a popad 0x0000000b jc 00007FD364B52532h 0x00000011 jno 00007FD364B5250Ch 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FD364B52514h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4068CC second address: 4068D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405E8C second address: 405E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FD364B52506h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406F16 second address: 406F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D5C6 second address: 40D5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B52512h 0x00000009 jnl 00007FD364B52506h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FD364B52506h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D766 second address: 40D76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D76A second address: 40D770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D770 second address: 40D77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40D77A second address: 40D78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B5250Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DA0F second address: 40DA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DB66 second address: 40DB70 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD364B52506h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DE61 second address: 40DE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFDE second address: 40DFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFE2 second address: 40DFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFE8 second address: 40DFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFEE second address: 40DFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD36451CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFF8 second address: 40DFFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40DFFC second address: 40E015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 jg 00007FD36451CF8Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40E186 second address: 40E18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40E18B second address: 40E1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD36451CF8Ch 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EA1B second address: 40EA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD364B52517h 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FD364B52506h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EA43 second address: 40EA5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD36451CF95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EA5C second address: 40EA77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B5250Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FD364B52506h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EA77 second address: 40EA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411D90 second address: 411D9A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD364B5250Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41539E second address: 4153B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4153B7 second address: 4153DC instructions: 0x00000000 rdtsc 0x00000002 js 00007FD364B5250Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FD364B52533h 0x00000010 pushad 0x00000011 jmp 00007FD364B5250Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4153DC second address: 4153EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF8Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 418901 second address: 418911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B5250Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 418194 second address: 41819A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41819A second address: 4181BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B52519h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4181BB second address: 4181EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD36451CF92h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FD36451CF92h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 418363 second address: 418377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B5250Ch 0x00000009 push eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 418377 second address: 4183A5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD36451CF92h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD36451CF98h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4183A5 second address: 4183A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41DA00 second address: 41DA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FD36451CF86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41DA0C second address: 41DA35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FD364B52519h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41DA35 second address: 41DA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD36451CF8Bh 0x0000000a js 00007FD36451CF92h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41DA4D second address: 41DA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41CF26 second address: 41CF2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D088 second address: 41D0C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B52515h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FD364B5250Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD364B52518h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D0C9 second address: 41D0F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FD36451CF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD36451CF96h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D0F2 second address: 41D124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B52512h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD364B5250Fh 0x0000000e jmp 00007FD364B5250Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D124 second address: 41D128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D3A5 second address: 41D3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD364B52506h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FD364B52506h 0x00000017 jbe 00007FD364B52506h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41D3C2 second address: 41D3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4202DA second address: 4202EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD364B5250Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425E66 second address: 425E72 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD36451CF8Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425E72 second address: 425E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425E7A second address: 425E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425FF3 second address: 425FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425FFF second address: 426008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8616 second address: 3B863D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD364B52508h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, 6C40E6CBh 0x00000012 push 00000004h 0x00000014 sub edi, dword ptr [ebp+122D39FCh] 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007FD364B52508h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426492 second address: 4264B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF8Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FD36451CF90h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4264B8 second address: 4264BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 428928 second address: 42892E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E744 second address: 37E753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FD364B52506h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E753 second address: 37E757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E757 second address: 37E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD364B5250Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E76B second address: 37E787 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FD36451CF86h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007FD36451CF8Bh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7AC second address: 42E7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7B0 second address: 42E7C1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD36451CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7C1 second address: 42E7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7C7 second address: 42E7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7CB second address: 42E7D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E7D3 second address: 42E7D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EA95 second address: 42EA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD364B52506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42ED7D second address: 42ED81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42ED81 second address: 42ED95 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FD364B52506h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F06C second address: 42F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD36451CF94h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F086 second address: 42F08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F08A second address: 42F08E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F373 second address: 42F378 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC1D second address: 42FC21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF29 second address: 42FF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD364B52515h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF44 second address: 42FF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434339 second address: 43433F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43433F second address: 434343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4348C6 second address: 4348D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD364B52512h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4348D0 second address: 4348EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD36451CF86h 0x0000000a jnp 00007FD36451CF8Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4348EE second address: 4348F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4348F4 second address: 4348F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4348F8 second address: 434902 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434C02 second address: 434C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434D48 second address: 434D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD364B52515h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434D62 second address: 434D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD36451CF86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434D6E second address: 434D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD364B5250Eh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441B1E second address: 441B2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD36451CF8Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440023 second address: 44003E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD364B5250Ch 0x0000000a popad 0x0000000b js 00007FD364B52530h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4401B4 second address: 4401B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4401B8 second address: 4401DC instructions: 0x00000000 rdtsc 0x00000002 je 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD364B52510h 0x0000000f js 00007FD364B5250Eh 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440356 second address: 44035C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44035C second address: 440362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440362 second address: 44036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD36451CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44036C second address: 440370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440370 second address: 440376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44066D second address: 440682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jbe 00007FD364B5250Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440682 second address: 4406A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF94h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD36451CF8Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4406A6 second address: 4406D4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD364B52506h 0x00000008 je 00007FD364B52506h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 jmp 00007FD364B5250Fh 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007FD364B52506h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4406D4 second address: 4406D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43F796 second address: 43F79A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 446B4C second address: 446B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 446B50 second address: 446B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD364B52506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD364B5250Bh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 446B6C second address: 446B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD36451CF93h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 446992 second address: 4469AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B5250Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD364B5250Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4469AE second address: 4469B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4469B5 second address: 4469E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FD364B5250Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jl 00007FD364B5250Ch 0x00000014 ja 00007FD364B52506h 0x0000001a jbe 00007FD364B5250Ah 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A57F second address: 44A594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF91h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A594 second address: 44A5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FD364B52506h 0x0000000e jng 00007FD364B52506h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A5A8 second address: 44A5AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457CCE second address: 457CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457CD4 second address: 457CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD36451CF92h 0x0000000c jbe 00007FD36451CF86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457E94 second address: 457ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD364B52510h 0x0000000c pop ebx 0x0000000d jp 00007FD364B52549h 0x00000013 pushad 0x00000014 jmp 00007FD364B52510h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jo 00007FD364B52506h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457ECD second address: 457ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45E1C9 second address: 45E1CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45DEC8 second address: 45DECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B74A second address: 46B74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B74E second address: 46B754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 472FD8 second address: 472FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 476D22 second address: 476D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 476D26 second address: 476D3F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD364B52506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007FD364B52506h 0x00000011 js 00007FD364B52506h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 476D3F second address: 476D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4768C7 second address: 4768CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D172 second address: 47D178 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D178 second address: 47D17D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D17D second address: 47D185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48279B second address: 4827A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4827A1 second address: 4827E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD36451CF86h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jbe 00007FD36451CF86h 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 push ebx 0x00000019 jmp 00007FD36451CF94h 0x0000001e jmp 00007FD36451CF92h 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493CAD second address: 493CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493CB1 second address: 493CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FD36451CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B076 second address: 49B07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A331 second address: 49A36D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jbe 00007FD36451CFB4h 0x00000010 jo 00007FD36451CF96h 0x00000016 jbe 00007FD36451CF86h 0x0000001c jmp 00007FD36451CF8Ah 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A79D second address: 49A7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49AA66 second address: 49AA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF92h 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49AA81 second address: 49AA86 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E56F second address: 49E575 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E575 second address: 49E581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E581 second address: 49E585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49DFFB second address: 49E02B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD364B5250Dh 0x00000007 jmp 00007FD364B52517h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FD364B52506h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E02B second address: 49E039 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD36451CF8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 376040 second address: 376046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 376046 second address: 376055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FD36451CF86h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3815 second address: 4A3845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007FD364B52506h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD364B52519h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5009 second address: 4A5046 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD36451CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FD36451CF8Eh 0x00000014 jmp 00007FD36451CF8Eh 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jnc 00007FD36451CF8Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6AB5 second address: 4A6ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6ABD second address: 4A6AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD36451CF92h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6AD5 second address: 4A6ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F587 second address: 49F5AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD36451CF8Eh 0x00000007 jg 00007FD36451CF86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FD36451CF8Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E1CA second address: 49E1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E1CE second address: 49E1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD36451CF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FD36451CF86h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BD6E2 second address: 3BD6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 20DD9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3D8AC8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 20DCCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3AE60F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4A10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6B90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038A02E rdtsc 0_2_0038A02E
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E84D0 GetSystemInfo,VirtualAlloc,0_2_003E84D0
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038A02E rdtsc 0_2_0038A02E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0020B7F2 LdrInitializeThunk,0_2_0020B7F2
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4C82 GetSystemTime,GetFileTime,0_2_003E4C82

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS261
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe56%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1565535
Start date and time:2024-11-30 05:35:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 14s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.5008892826507125
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'808'832 bytes
MD5:dbe102896da778132a021cda8f323df0
SHA1:f7903a9d367df15fa3cc30b3025ec432df23169b
SHA256:0199fbd0e92c15d3300bea2d557e553da953ea8bd7554be3f495861b8b88ffc9
SHA512:4737832a09cc765ca5aef70a4c55e0f766ffd1222fc4d0e2f0bab2118c0ae6f9db236068747d7e33e7e1d013d7f057028cfdd7455b58f24b6d22ce96458a6236
SSDEEP:49152:3p8qcqW+T6ab89+1/yNtoxbetaJSj4q5HV4hR6FA6:58qGq6ab8k5sGxK8SjLORU
TLSH:C3D53B9AB50572CBD48F1774B52BCD82685E43B9071149C39868B8BEBFA3EC532F5C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.......+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6b4000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD3647A744Ah
bts dword ptr [edx], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FD3647A9445h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00000002h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00000080h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-80h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
daa
add al, byte ptr [eax]
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200aff8816bfe8c0a673c8dbdbf8e9d3731False0.9353298611111112data7.799219711472262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ozevqrls0xa0000x2a80000x2a7a003eea120d113244c6b551108a8aa4ea69unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hgyzpdrw0x2b20000x20000x600a899a31d8cb082d63955a06116880c1fFalse0.5592447916666666data4.88433727977564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b40000x40000x2200c622c885f8383921582eabbc00c17f08False0.06824448529411764DOS executable (COM)0.7762978812241057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:23:35:59
Start date:29/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x200000
File size:2'808'832 bytes
MD5 hash:DBE102896DA778132A021CDA8F323DF0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.9%
    Dynamic/Decrypted Code Coverage:21.6%
    Signature Coverage:4.3%
    Total number of Nodes:399
    Total number of Limit Nodes:22
    execution_graph 7647 212661 7649 211bff 7647->7649 7648 211c3f 7649->7648 7651 3e8671 7649->7651 7652 3e867f 7651->7652 7653 3e869f 7652->7653 7655 3e8941 7652->7655 7653->7648 7656 3e8951 7655->7656 7658 3e8974 7655->7658 7656->7658 7659 3e8d3b 7656->7659 7658->7652 7662 3e8d42 7659->7662 7661 3e8d8c 7661->7658 7662->7661 7663 3e8c49 7662->7663 7665 3e8c5e 7663->7665 7664 3e8ce8 GetModuleFileNameA 7664->7665 7665->7664 7666 3e8d1e 7665->7666 7666->7662 7667 3e5c5e 7669 3e5c6a 7667->7669 7672 3e5c82 7669->7672 7671 3e5cac 7672->7671 7673 3e5b98 7672->7673 7675 3e5ba4 7673->7675 7683 3e0b35 GetCurrentThreadId 7675->7683 7677 3e5bb7 7678 3e5bf5 7677->7678 7679 3e5c30 7677->7679 7682 3e5bd1 7677->7682 7678->7682 7685 3e326f 7678->7685 7680 3e5c35 CreateFileMappingA 7679->7680 7680->7682 7684 3e0b4d 7683->7684 7684->7677 7687 3e3286 7685->7687 7686 3e32ef CreateFileA 7689 3e3334 7686->7689 7687->7686 7688 3e3383 7687->7688 7688->7682 7689->7688 7691 3e294e CloseHandle 7689->7691 7692 3e2962 7691->7692 7692->7688 7693 38a0b8 7694 38a0be CreateFileA 7693->7694 7695 38a0d3 7694->7695 7696 3e547f 7698 3e5488 7696->7698 7699 3e0b35 GetCurrentThreadId 7698->7699 7700 3e5494 7699->7700 7701 3e54e4 ReadFile 7700->7701 7702 3e54ad 7700->7702 7701->7702 7703 3e5dbc 7704 3e0b35 GetCurrentThreadId 7703->7704 7705 3e5dc8 7704->7705 7706 3e5de1 7705->7706 7707 3e5e30 MapViewOfFileEx 7705->7707 7707->7706 7708 3e27f7 7709 3e0b35 GetCurrentThreadId 7708->7709 7710 3e2803 7709->7710 7711 3e2821 7710->7711 7715 3e1247 7710->7715 7713 3e2852 GetModuleHandleExA 7711->7713 7714 3e2829 7711->7714 7713->7714 7716 3e1258 7715->7716 7717 3e1295 7715->7717 7716->7717 7719 3e10e8 7716->7719 7717->7711 7721 3e1115 7719->7721 7720 3e121b 7720->7716 7721->7720 7722 3e115e 7721->7722 7723 3e1143 PathAddExtensionA 7721->7723 7727 3e1180 7722->7727 7731 3e0d89 7722->7731 7723->7722 7725 3e11c9 7725->7720 7726 3e11f2 7725->7726 7729 3e0d89 lstrcmpiA 7725->7729 7726->7720 7730 3e0d89 lstrcmpiA 7726->7730 7727->7720 7727->7725 7728 3e0d89 lstrcmpiA 7727->7728 7728->7725 7729->7726 7730->7720 7732 3e0da7 7731->7732 7733 3e0dbe 7732->7733 7735 3e0d06 7732->7735 7733->7727 7737 3e0d31 7735->7737 7736 3e0d79 7736->7733 7737->7736 7738 3e0d63 lstrcmpiA 7737->7738 7738->7736 7739 386695 LoadLibraryA 7740 38669d 7739->7740 7741 3e4bf0 7742 3e0b35 GetCurrentThreadId 7741->7742 7743 3e4bfc GetCurrentProcess 7742->7743 7744 3e4c48 7743->7744 7746 3e4c0c 7743->7746 7745 3e4c4d DuplicateHandle 7744->7745 7747 3e4c43 7745->7747 7746->7744 7748 3e4c37 7746->7748 7750 3e298d 7748->7750 7753 3e29b7 7750->7753 7751 3e2a4a 7751->7747 7753->7751 7754 3e2975 7753->7754 7757 3e09e0 7754->7757 7759 3e09f6 7757->7759 7758 3e0a10 7758->7751 7759->7758 7761 3e09c4 7759->7761 7762 3e294e CloseHandle 7761->7762 7763 3e09d4 7762->7763 7763->7758 7764 4a60848 7784 4a60862 7764->7784 7765 4a60868 7801 4a61188 7765->7801 7809 4a61198 7765->7809 7766 4a6086e 7817 4a613b0 7766->7817 7825 4a6139f 7766->7825 7767 4a60874 7833 4a61449 7767->7833 7842 4a61458 7767->7842 7768 4a60880 7778 4a61458 5 API calls 7768->7778 7779 4a61449 5 API calls 7768->7779 7769 4a6094c 7780 4a61458 5 API calls 7769->7780 7781 4a61449 5 API calls 7769->7781 7770 4a60958 7782 4a61458 5 API calls 7770->7782 7783 4a61449 5 API calls 7770->7783 7771 4a60964 7778->7769 7779->7769 7780->7770 7781->7770 7782->7771 7783->7771 7787 4a60ce0 7784->7787 7794 4a60cd0 7784->7794 7851 4a60514 7787->7851 7789 4a60d2d 7789->7765 7790 4a60cf3 7790->7789 7855 4a60538 7790->7855 7793 4a60538 3 API calls 7793->7789 7795 4a60514 OpenSCManagerW 7794->7795 7797 4a60cf3 7794->7797 7795->7797 7796 4a60d2d 7796->7765 7797->7796 7798 4a60538 3 API calls 7797->7798 7799 4a60d26 7798->7799 7800 4a60538 3 API calls 7799->7800 7800->7796 7807 4a611ac 7801->7807 7802 4a61221 7803 4a60538 3 API calls 7802->7803 7804 4a61229 7803->7804 7804->7766 7805 4a611f8 7805->7766 7807->7802 7807->7805 7808 4a60538 3 API calls 7807->7808 7867 4a605b0 7807->7867 7808->7807 7815 4a611ac 7809->7815 7810 4a61221 7811 4a60538 3 API calls 7810->7811 7812 4a61229 7811->7812 7812->7766 7813 4a611f8 7813->7766 7814 4a605b0 ImpersonateLoggedOnUser 7814->7815 7815->7810 7815->7813 7815->7814 7816 4a60538 3 API calls 7815->7816 7816->7815 7823 4a613c3 7817->7823 7818 4a61433 7819 4a60538 3 API calls 7818->7819 7820 4a6143b 7819->7820 7820->7767 7821 4a6140f 7821->7767 7822 4a605b0 ImpersonateLoggedOnUser 7822->7823 7823->7818 7823->7821 7823->7822 7824 4a60538 3 API calls 7823->7824 7824->7823 7831 4a613c3 7825->7831 7826 4a61433 7827 4a60538 3 API calls 7826->7827 7828 4a6143b 7827->7828 7828->7767 7829 4a6140f 7829->7767 7830 4a605b0 ImpersonateLoggedOnUser 7830->7831 7831->7826 7831->7829 7831->7830 7832 4a60538 3 API calls 7831->7832 7832->7831 7834 4a60514 OpenSCManagerW 7833->7834 7836 4a61481 7834->7836 7835 4a614f2 7835->7768 7836->7835 7871 4a6065c 7836->7871 7838 4a614be 7839 4a60538 3 API calls 7838->7839 7840 4a614eb 7839->7840 7841 4a60538 3 API calls 7840->7841 7841->7835 7843 4a60514 OpenSCManagerW 7842->7843 7845 4a61481 7842->7845 7843->7845 7844 4a614f2 7844->7768 7845->7844 7846 4a6065c ControlService 7845->7846 7847 4a614be 7846->7847 7848 4a60538 3 API calls 7847->7848 7849 4a614eb 7848->7849 7850 4a60538 3 API calls 7849->7850 7850->7844 7852 4a60d48 OpenSCManagerW 7851->7852 7854 4a60ddc 7852->7854 7854->7790 7856 4a610f0 7855->7856 7859 3e3889 7856->7859 7857 4a60d26 7857->7793 7860 3e0b35 GetCurrentThreadId 7859->7860 7861 3e3895 7860->7861 7862 3e38be 7861->7862 7863 3e38ae 7861->7863 7865 3e38c3 CloseHandle 7862->7865 7864 3e2975 CloseHandle 7863->7864 7866 3e38b4 7864->7866 7865->7866 7866->7857 7868 4a61308 ImpersonateLoggedOnUser 7867->7868 7870 4a61376 7868->7870 7870->7807 7872 4a61510 ControlService 7871->7872 7874 4a6158f 7872->7874 7874->7838 7875 3e84d0 GetSystemInfo 7876 3e852e VirtualAlloc 7875->7876 7882 3e84f0 7875->7882 7890 3e881c 7876->7890 7878 3e864a 7881 3e8666 GetModuleFileNameA 7878->7881 7889 3e860e 7878->7889 7879 3e8575 7879->7878 7880 3e881c VirtualAlloc GetModuleFileNameA 7879->7880 7883 3e859f 7880->7883 7881->7889 7882->7876 7883->7878 7884 3e881c VirtualAlloc GetModuleFileNameA 7883->7884 7885 3e85c9 7884->7885 7885->7878 7886 3e881c VirtualAlloc GetModuleFileNameA 7885->7886 7887 3e85f3 7886->7887 7887->7878 7888 3e881c VirtualAlloc GetModuleFileNameA 7887->7888 7887->7889 7888->7878 7892 3e8824 7890->7892 7893 3e8838 7892->7893 7894 3e8850 7892->7894 7900 3e86e8 7893->7900 7896 3e86e8 GetModuleFileNameA 7894->7896 7897 3e8861 7896->7897 7902 3e8873 7897->7902 7905 3e86f0 7900->7905 7903 3e8884 VirtualAlloc 7902->7903 7904 3e886f 7902->7904 7903->7904 7906 3e8703 7905->7906 7907 3e8d3b GetModuleFileNameA 7906->7907 7908 3e8746 7906->7908 7907->7908 7911 389e89 7912 389e3d 7911->7912 7914 389e55 CreateFileA 7911->7914 7912->7914 7916 389e4e 7912->7916 7915 389eaf 7914->7915 7919 389e5d 7916->7919 7920 389e63 CreateFileA 7919->7920 7922 389eaf 7920->7922 7923 3e536c 7925 3e5378 7923->7925 7926 3e0b35 GetCurrentThreadId 7925->7926 7927 3e5384 7926->7927 7929 3e53a4 7927->7929 7930 3e5278 7927->7930 7932 3e5284 7930->7932 7933 3e5298 7932->7933 7934 3e0b35 GetCurrentThreadId 7933->7934 7935 3e52b0 7934->7935 7936 3e52c5 7935->7936 7956 3e5191 7935->7956 7940 3e52cd 7936->7940 7948 3e5236 IsBadWritePtr 7936->7948 7942 3e531e CreateFileW 7940->7942 7943 3e5341 CreateFileA 7940->7943 7941 3e1247 2 API calls 7944 3e5300 7941->7944 7947 3e530e 7942->7947 7943->7947 7944->7940 7945 3e5308 7944->7945 7950 3e2a8b 7945->7950 7949 3e5258 7948->7949 7949->7940 7949->7941 7951 3e2a98 7950->7951 7952 3e2ad1 CreateFileA 7951->7952 7953 3e2b93 7951->7953 7954 3e2b1d 7952->7954 7953->7947 7954->7953 7955 3e294e CloseHandle 7954->7955 7955->7953 7958 3e51a0 GetWindowsDirectoryA 7956->7958 7959 3e51ca 7958->7959 7960 3e234c 7963 3e2194 7960->7963 7966 3e21fb 7963->7966 7968 3e2208 7966->7968 7969 3e221e 7968->7969 7970 3e0b35 GetCurrentThreadId 7969->7970 7978 3e2226 7969->7978 7973 3e2248 7970->7973 7971 3e2306 7975 3e2324 LoadLibraryExA 7971->7975 7976 3e2310 LoadLibraryExW 7971->7976 7972 3e22f3 7999 3e2033 7972->7999 7977 3e1247 2 API calls 7973->7977 7982 3e22ca 7975->7982 7976->7982 7979 3e2259 7977->7979 7978->7971 7978->7972 7979->7978 7980 3e2287 7979->7980 7983 3e1b73 7980->7983 7984 3e1b8f 7983->7984 7985 3e1b99 7983->7985 7984->7982 8003 3e13c6 7985->8003 7992 3e1be9 7993 3e1c16 7992->7993 7998 3e1c4e 7992->7998 8013 3e15a4 7992->8013 8017 3e183f 7993->8017 7996 3e1c21 7996->7998 8022 3e17b6 7996->8022 7998->7984 8026 3e2385 7998->8026 8000 3e203e 7999->8000 8001 3e204e 8000->8001 8002 3e205f LoadLibraryExA 8000->8002 8001->7982 8002->8001 8004 3e13e2 8003->8004 8006 3e143b 8003->8006 8005 3e1412 VirtualAlloc 8004->8005 8004->8006 8005->8006 8006->7984 8007 3e146c VirtualAlloc 8006->8007 8008 3e14b1 8007->8008 8008->7998 8009 3e14e9 8008->8009 8012 3e1511 8009->8012 8010 3e1588 8010->7992 8011 3e152a VirtualAlloc 8011->8010 8011->8012 8012->8010 8012->8011 8014 3e15bf 8013->8014 8016 3e15c4 8013->8016 8014->7993 8015 3e15f7 lstrcmpiA 8015->8014 8015->8016 8016->8014 8016->8015 8019 3e194b 8017->8019 8020 3e186c 8017->8020 8019->7996 8020->8019 8028 3e1351 8020->8028 8036 3e2462 8020->8036 8025 3e17df 8022->8025 8023 3e1820 8023->7998 8024 3e17f7 VirtualProtect 8024->8023 8024->8025 8025->8023 8025->8024 8061 3e2391 8026->8061 8029 3e2194 15 API calls 8028->8029 8030 3e1364 8029->8030 8031 3e13b6 8030->8031 8032 3e138d 8030->8032 8035 3e13aa 8030->8035 8033 3e2385 2 API calls 8031->8033 8034 3e2385 2 API calls 8032->8034 8032->8035 8033->8035 8034->8035 8035->8020 8038 3e246b 8036->8038 8039 3e247a 8038->8039 8041 3e0b35 GetCurrentThreadId 8039->8041 8044 3e2482 8039->8044 8040 3e24af GetProcAddress 8046 3e24a5 8040->8046 8042 3e248c 8041->8042 8043 3e249c 8042->8043 8042->8044 8047 3e1ec3 8043->8047 8044->8040 8048 3e1ee2 8047->8048 8052 3e1faf 8047->8052 8049 3e1f1f lstrcmpiA 8048->8049 8050 3e1f49 8048->8050 8048->8052 8049->8048 8049->8050 8050->8052 8053 3e1e0c 8050->8053 8052->8046 8054 3e1e1d 8053->8054 8055 3e1e4d lstrcpyn 8054->8055 8056 3e1ea8 8054->8056 8055->8056 8057 3e1e69 8055->8057 8056->8052 8057->8056 8058 3e1351 14 API calls 8057->8058 8059 3e1e97 8058->8059 8059->8056 8060 3e2462 14 API calls 8059->8060 8060->8056 8062 3e23a0 8061->8062 8063 3e23a8 8062->8063 8065 3e0b35 GetCurrentThreadId 8062->8065 8064 3e23f6 FreeLibrary 8063->8064 8069 3e23dd 8064->8069 8066 3e23b2 8065->8066 8066->8063 8067 3e23c2 8066->8067 8070 3e1d73 8067->8070 8071 3e1dd6 8070->8071 8072 3e1d96 8070->8072 8071->8069 8072->8071 8074 3e092f 8072->8074 8075 3e0938 8074->8075 8076 3e0950 8075->8076 8078 3e0916 8075->8078 8076->8071 8079 3e2385 2 API calls 8078->8079 8080 3e0923 8079->8080 8080->8075 8081 20b7f2 8082 20b7f7 8081->8082 8083 20b962 LdrInitializeThunk 8082->8083 8084 3e236d 8087 3e21ad 8084->8087 8089 3e21b9 8087->8089 8090 3e21ce 8089->8090 8091 3e21fb 15 API calls 8090->8091 8092 3e21ec 8090->8092 8091->8092 8093 20e874 VirtualAlloc 8094 20e88b 8093->8094 8095 3e26a4 8097 3e26b0 8095->8097 8098 3e26c4 8097->8098 8100 3e26ec 8098->8100 8101 3e2705 8098->8101 8103 3e270e 8101->8103 8104 3e271d 8103->8104 8105 3e2725 8104->8105 8106 3e0b35 GetCurrentThreadId 8104->8106 8107 3e27c8 GetModuleHandleW 8105->8107 8108 3e27d6 GetModuleHandleA 8105->8108 8109 3e272f 8106->8109 8112 3e275d 8107->8112 8108->8112 8110 3e274a 8109->8110 8111 3e1247 2 API calls 8109->8111 8110->8105 8110->8112 8111->8110 8113 3e5105 8115 3e5111 8113->8115 8116 3e0b35 GetCurrentThreadId 8115->8116 8117 3e511d 8116->8117 8119 3e513d 8117->8119 8120 3e505c 8117->8120 8122 3e5068 8120->8122 8123 3e507c 8122->8123 8124 3e0b35 GetCurrentThreadId 8123->8124 8125 3e5094 8124->8125 8133 3e1299 8125->8133 8128 3e50bf 8129 3e1247 2 API calls 8130 3e50b7 8129->8130 8130->8128 8131 3e50ec GetFileAttributesA 8130->8131 8132 3e50db GetFileAttributesW 8130->8132 8131->8128 8132->8128 8134 3e134d 8133->8134 8135 3e12ad 8133->8135 8134->8128 8134->8129 8135->8134 8136 3e10e8 2 API calls 8135->8136 8136->8135 8137 389c85 CreateFileA 8138 389cac 8137->8138

    Executed Functions

    Function 003E84D0 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 133 3e84d0-3e84ea GetSystemInfo 134 3e852e-3e8577 VirtualAlloc call 3e881c 133->134 135 3e84f0-3e8528 133->135 139 3e865d-3e8662 call 3e8666 134->139 140 3e857d-3e85a1 call 3e881c 134->140 135->134 147 3e8664-3e8665 139->147 140->139 146 3e85a7-3e85cb call 3e881c 140->146 146->139 150 3e85d1-3e85f5 call 3e881c 146->150 150->139 153 3e85fb-3e8608 150->153 154 3e862e-3e8645 call 3e881c 153->154 155 3e860e-3e8629 153->155 158 3e864a-3e864c 154->158 160 3e8658 155->160 158->139 159 3e8652 158->159 159->160 160->147
    APIs
    • GetSystemInfo.KERNELBASE(?,-120C5FEC), ref: 003E84DC
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 003E853D
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 1cb4e4a558adefe786e4b2bb5efcf42db32348c0e263d734b688353536f8ff12
    • Instruction ID: 0e42c7cfb20a89ece3bb8b05e090736f6a8c269b6895877b73c1cf7455edd77b
    • Opcode Fuzzy Hash: 1cb4e4a558adefe786e4b2bb5efcf42db32348c0e263d734b688353536f8ff12
    • Instruction Fuzzy Hash: 5E412FB2E40646EFE726CF618845F96B7ACBF48700F1005A2E647DE8C2DB7095D08BA0
    Function 0038A02E Relevance: 1.6, APIs: 1, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7fed31fcac333d848f3e9d373469511e3757d6feec85d3cec4b0d5904d9cced5
    • Instruction ID: e306720e8a02054d6e7efab59d38e3d0348da384b1ed9a6037b51462152e9d98
    • Opcode Fuzzy Hash: 7fed31fcac333d848f3e9d373469511e3757d6feec85d3cec4b0d5904d9cced5
    • Instruction Fuzzy Hash: FA0184F72887117DB202E6996E54AFB77ACE6C2770B31846BF402D6442E3945D096236
    Function 0020B7F2 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: eaca23b151e30e936f6b36b4820e16b2be2a10b318619b3bf0948f89244634b8
    • Instruction ID: 6ee4e51d0e8974ed1bff5df65b6ed66dc7c06998684d7cc4eb2067b99edde8d0
    • Opcode Fuzzy Hash: eaca23b151e30e936f6b36b4820e16b2be2a10b318619b3bf0948f89244634b8
    • Instruction Fuzzy Hash: A8E0C2321B8B8E8ACF379F6088017A9771DEB40700F504116FA159AECBDB2D4C318F95
    Function 003E2208 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 003E2319
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 003E232D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: f4d4b9f3d06b0206d7c2821d292e337b143286a22aff77bd3fa19a85221ce326
    • Instruction ID: 93601fc5fa76397ed1356d965ca15d4bd008e6da9708e800cce942a9872c7f89
    • Opcode Fuzzy Hash: f4d4b9f3d06b0206d7c2821d292e337b143286a22aff77bd3fa19a85221ce326
    • Instruction Fuzzy Hash: E3319C358041AAEFCF17AF52D904AAE7B7DFF04340F108715F9025A5E1C7719AA0EBA1
    Function 003E270E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 39 3e270e-3e271f call 3e2072 42 3e272a-3e2733 call 3e0b35 39->42 43 3e2725 39->43 50 3e2739-3e2745 call 3e1247 42->50 51 3e2767-3e276e 42->51 44 3e27be-3e27c2 43->44 46 3e27c8-3e27d1 GetModuleHandleW 44->46 47 3e27d6-3e27d9 GetModuleHandleA 44->47 49 3e27df 46->49 47->49 53 3e27e9-3e27eb 49->53 57 3e274a-3e274c 50->57 54 3e27b9 call 3e0be0 51->54 55 3e2774-3e277b 51->55 54->44 55->54 58 3e2781-3e2788 55->58 57->54 59 3e2752-3e2757 57->59 58->54 60 3e278e-3e2795 58->60 59->54 61 3e275d-3e27e4 call 3e0be0 59->61 60->54 62 3e279b-3e27af 60->62 61->53 62->54
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,003E26A0,?,00000000,00000000), ref: 003E27CB
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,003E26A0,?,00000000,00000000), ref: 003E27D9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: d82e3ea0230520eb6f371b0ce1fec8a63c9a7ba40c60775c556a3212cd51f6ff
    • Instruction ID: 147e6e8e02924493507de8e5a746d9dabbd704fd866d012d7bbac920984dc152
    • Opcode Fuzzy Hash: d82e3ea0230520eb6f371b0ce1fec8a63c9a7ba40c60775c556a3212cd51f6ff
    • Instruction Fuzzy Hash: 5A11A1311012EAEEEB37AF26C80D7AA7679BF00349F014315F802588E2C7B4DCE4CA91
    Function 003E5068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 66 3e5068-3e5076 67 3e507c-3e5083 66->67 68 3e5088 66->68 69 3e508f-3e50a5 call 3e0b35 call 3e1299 67->69 68->69 74 3e50ab-3e50b9 call 3e1247 69->74 75 3e50c4 69->75 80 3e50bf 74->80 81 3e50d0-3e50d5 74->81 77 3e50c8-3e50cb 75->77 79 3e50fb-3e5102 call 3e0be0 77->79 80->77 84 3e50ec-3e50ef GetFileAttributesA 81->84 85 3e50db-3e50e7 GetFileAttributesW 81->85 86 3e50f5-3e50f6 84->86 85->86 86->79
    APIs
    • GetFileAttributesW.KERNELBASE(00CA18E4,-120C5FEC), ref: 003E50E1
    • GetFileAttributesA.KERNEL32(00000000,-120C5FEC), ref: 003E50EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: e4f952359a8dce2bfc09fe85ec99a74b61028d4265ffa595eb7dac1d083d0ef7
    • Instruction ID: b3557279065461fbce881b674b68ebc82400ed179d8294ac13d38951e4b710f4
    • Opcode Fuzzy Hash: e4f952359a8dce2bfc09fe85ec99a74b61028d4265ffa595eb7dac1d083d0ef7
    • Instruction Fuzzy Hash: 48018B30504A95FADF22AF26C90979D7E75BF40308F218214F102A94D0CBB09ED5EB80
    Function 003E10E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 87 3e10e8-3e1118 89 3e111e-3e1133 87->89 90 3e1243-3e1244 87->90 89->90 92 3e1139-3e113d 89->92 93 3e115f-3e1166 92->93 94 3e1143-3e1155 PathAddExtensionA 92->94 95 3e116c-3e117b call 3e0d89 93->95 96 3e1188-3e118f 93->96 100 3e115e 94->100 101 3e1180-3e1182 95->101 98 3e1195-3e119c 96->98 99 3e11d1-3e11d8 96->99 102 3e11b5-3e11c4 call 3e0d89 98->102 103 3e11a2-3e11ab 98->103 104 3e11de-3e11f4 call 3e0d89 99->104 105 3e11fa-3e1201 99->105 100->93 101->90 101->96 113 3e11c9-3e11cb 102->113 103->102 108 3e11b1 103->108 104->90 104->105 106 3e1207-3e121d call 3e0d89 105->106 107 3e1223-3e122a 105->107 106->90 106->107 107->90 112 3e1230-3e123d call 3e0dc2 107->112 108->102 112->90 113->90 113->99
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 003E114A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 873bcbcf7859a9280373e5890448ba7406b4bc588c3a3a01877a914ef0650dab
    • Instruction ID: 4e912e0e7792a69cb77bcc09357e064a38627083964e15dd04490334b5667a09
    • Opcode Fuzzy Hash: 873bcbcf7859a9280373e5890448ba7406b4bc588c3a3a01877a914ef0650dab
    • Instruction Fuzzy Hash: 94313C35A00299BFDF229F96DD09F9EB77AFF48340F044650FA01A90A0D7769AA1DB50
    Function 003E27F7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 118 3e27f7-3e280a call 3e0b35 121 3e284d-3e2861 call 3e0be0 GetModuleHandleExA 118->121 122 3e2810-3e281c call 3e1247 118->122 128 3e286b-3e286d 121->128 125 3e2821-3e2823 122->125 125->121 127 3e2829-3e2830 125->127 129 3e2839-3e2866 call 3e0be0 127->129 130 3e2836 127->130 129->128 130->129
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 003E285B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 2c4723615f13cf281c376eb4f3c5adbc661004bff85c8b6c35b33203e428a7d6
    • Instruction ID: 77bfe55ff0da5cd8f5aac049253780dfa1c30d98d4ce402544e7f1c930e40be9
    • Opcode Fuzzy Hash: 2c4723615f13cf281c376eb4f3c5adbc661004bff85c8b6c35b33203e428a7d6
    • Instruction Fuzzy Hash: ADF0F0321002A9EFDF029F56CC49FAE3BA8FF04304F108210FD018A0A2C370D490DA10
    Function 003E5284 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 161 3e5284-3e5292 162 3e5298-3e529f 161->162 163 3e52a4 161->163 164 3e52ab-3e52b7 call 3e0b35 162->164 163->164 167 3e52bd-3e52c7 call 3e5191 164->167 168 3e52d2-3e52e2 call 3e5236 164->168 167->168 173 3e52cd 167->173 174 3e52e8-3e52ef 168->174 175 3e52f4-3e5302 call 3e1247 168->175 176 3e5313-3e5318 173->176 174->176 175->176 182 3e5308-3e5309 call 3e2a8b 175->182 178 3e531e-3e533c CreateFileW 176->178 179 3e5341-3e5356 CreateFileA 176->179 181 3e535c-3e535d 178->181 179->181 184 3e5362-3e5369 call 3e0be0 181->184 185 3e530e 182->185 185->184
    APIs
    • CreateFileW.KERNELBASE(00CA18E4,?,?,-120C5FEC,?,?,?,-120C5FEC,?), ref: 003E5336
      • Part of subcall function 003E5236: IsBadWritePtr.KERNEL32(?,00000004), ref: 003E5244
    • CreateFileA.KERNEL32(?,?,?,-120C5FEC,?,?,?,-120C5FEC,?), ref: 003E5356
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: fe052d742a0b5aea74716ead69aa7d41ff3781ab7a8045a2c647b72c0f86fa70
    • Instruction ID: 5c26df99e214ccd7b8e95526e276489154f0dcdf3287144508dcbad1f9cbfc88
    • Opcode Fuzzy Hash: fe052d742a0b5aea74716ead69aa7d41ff3781ab7a8045a2c647b72c0f86fa70
    • Instruction Fuzzy Hash: C9111A3640099AFBCF239F91DD09B9D3E25BF44348F158215FA02684E1C3B5C9B1EB51
    Function 003E4BF0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 188 3e4bf0-3e4c06 call 3e0b35 GetCurrentProcess 191 3e4c0c-3e4c0f 188->191 192 3e4c48-3e4c6a call 3e0be0 DuplicateHandle 188->192 191->192 194 3e4c15-3e4c18 191->194 198 3e4c74-3e4c76 192->198 194->192 196 3e4c1e-3e4c31 call 3e098f 194->196 196->192 200 3e4c37-3e4c6f call 3e298d call 3e0be0 196->200 200->198
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • GetCurrentProcess.KERNEL32(-120C5FEC), ref: 003E4BFD
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 003E4C63
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 128c385ba9101273e250be5eddb3280bb36eac82809253d710302e51f9487ae9
    • Instruction ID: 60d8abdca33d1f8d6c74cf16a8d7fc9db552635589e669f16978813ff6aae1dd
    • Opcode Fuzzy Hash: 128c385ba9101273e250be5eddb3280bb36eac82809253d710302e51f9487ae9
    • Instruction Fuzzy Hash: 79014B3250019BBB8F176FA6ED09C9E3B3ABF98354B114311F90296091C731D0A2EB71
    Function 003E3889 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 205 3e3889-3e38a8 call 3e0b35 call 3e098f 210 3e38be-3e38ce call 3e0be0 CloseHandle 205->210 211 3e38ae-3e38af call 3e2975 205->211 217 3e38d8-3e38da 210->217 215 3e38b4-3e38d3 call 3e0be0 211->215 215->217
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • CloseHandle.KERNELBASE(?,-120C5FEC,?,?,003E324C,?), ref: 003E38C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID: L2>
    • API String ID: 3305057742-2865816684
    • Opcode ID: 1547a7fc9bdd3a01d5e12a642b8330d4f6da6f545775c93980dc567ffb882cbe
    • Instruction ID: 6f2d6b55a285086e301ed8e041deea33b99fa622045316c817f881817f26fbd0
    • Opcode Fuzzy Hash: 1547a7fc9bdd3a01d5e12a642b8330d4f6da6f545775c93980dc567ffb882cbe
    • Instruction Fuzzy Hash: 71E048766040D7F6DA176BBBD90DD5F1A1CAFD1384B404325F5029D4D1DBB4D1D6C260
    Function 00389D3E Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 219 389d3e-389d44 220 389dac-389df0 219->220 221 389d46-389d50 call 389d53 219->221 225 389e04-389e3b 220->225 226 389df6-389e03 220->226 221->220 229 389e3d 225->229 226->225 230 389e3f-389e43 229->230 231 389e55-389e62 229->231 233 389e88-389e8a 230->233 234 389e45-389e4d 230->234 232 389e64-389e84 231->232 241 389e91-389eaf CreateFileA call 389eb2 232->241 233->229 236 389e8d-389e8e 233->236 234->232 237 389e4e-389e54 call 389e5d 234->237 236->241 237->231
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00389EA5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 71a86f2ff4d08271c28cd9a6ff155b35a798367cb2149546d88349aed873dd08
    • Instruction ID: 04851cb8d0a61a91fa4602cf31307d24d941a7f3a78f8b08d2b5188d4ac0cde5
    • Opcode Fuzzy Hash: 71a86f2ff4d08271c28cd9a6ff155b35a798367cb2149546d88349aed873dd08
    • Instruction Fuzzy Hash: BC3105A204D3D16ED313A7705D6477A7F788F93220F2D44DBE481CB493E1542D4A9362
    Function 003867C8 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 244 3867c8-3867cb LoadLibraryA 245 3867db-386941 244->245
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: c2a10131f69233a3d18f40d35cbc91791a9945ce7cdfb4d1b29273b1a9800b69
    • Instruction ID: 7ee4092516f2bb69d94b1a509616c65176dc6536b81364b2c18743bd387853e3
    • Opcode Fuzzy Hash: c2a10131f69233a3d18f40d35cbc91791a9945ce7cdfb4d1b29273b1a9800b69
    • Instruction Fuzzy Hash: F43148B291C220AFD3097F18D88167DFBE8FF59320F16492DE6C693650DA3558518B87
    Function 003E326F Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 247 3e326f-3e3280 248 3e32af-3e32b8 call 3e0c13 247->248 249 3e3286-3e329a call 3e0c13 247->249 253 3e32be-3e32cf call 3e2a51 248->253 254 3e3395-3e3398 call 3e0c38 248->254 260 3e339d 249->260 261 3e32a0-3e32ae 249->261 262 3e32ef-3e332e CreateFileA 253->262 263 3e32d5-3e32d9 253->263 254->260 264 3e33a4-3e33a8 260->264 261->248 267 3e3334-3e3351 262->267 268 3e3352-3e3355 262->268 265 3e32df-3e32eb call 3e7ad9 263->265 266 3e32ec 263->266 265->266 266->262 267->268 271 3e335b-3e3372 call 3e0955 268->271 272 3e3388-3e3390 call 3e28e0 268->272 271->264 279 3e3378-3e3383 call 3e294e 271->279 272->260 279->260
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 003E3324
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 440ba25352c31255d01ab1aab25231d7b0d5710980737ff2b92f14a57a8d42e0
    • Instruction ID: 39d150d646f18dc615e111329da734634ea808a12562e8c4cc5b44bec58de129
    • Opcode Fuzzy Hash: 440ba25352c31255d01ab1aab25231d7b0d5710980737ff2b92f14a57a8d42e0
    • Instruction Fuzzy Hash: 5D318D71900244FEEB229FA6DC49F9EBBB8FF04324F208369F505AA1D1C7719A91CB50
    Function 00386695 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 282 386695-386697 LoadLibraryA 283 38669d-3866a4 282->283 284 3866a5-3867c2 282->284 283->284
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 4f1fdb89def1b0b3efd95742d1e5b7f9ad4b1e0a7f020068400c6dafc8ed87d6
    • Instruction ID: 26745b2ca73b2aeda14806d7cc3924caa01cc8721a508259b00c5f3551db56d7
    • Opcode Fuzzy Hash: 4f1fdb89def1b0b3efd95742d1e5b7f9ad4b1e0a7f020068400c6dafc8ed87d6
    • Instruction Fuzzy Hash: FD3117B250C204EFD705AF29D881AAEFBE8FF99720F16482DE6C892610D7359480DB57
    Function 003E2A8B Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 286 3e2a8b-3e2a9a call 3e0c13 289 3e2ba0 286->289 290 3e2aa0-3e2ab1 call 3e2a51 286->290 292 3e2ba7-3e2bab 289->292 294 3e2ab7-3e2abb 290->294 295 3e2ad1-3e2b17 CreateFileA 290->295 296 3e2ace 294->296 297 3e2ac1-3e2acd call 3e7ad9 294->297 298 3e2b1d-3e2b3e 295->298 299 3e2b62-3e2b65 295->299 296->295 297->296 298->299 308 3e2b44-3e2b61 298->308 301 3e2b6b-3e2b82 call 3e0955 299->301 302 3e2b98-3e2b9b call 3e28e0 299->302 301->292 309 3e2b88-3e2b93 call 3e294e 301->309 302->289 308->299 309->289
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 003E2B0D
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4764787995e349bb9ea31f7f8b0aa74bc4e5a5c03ca1513ccc3da135203540e3
    • Instruction ID: b953af7eedaa79bd7ea2f1771ce4c0af0b1734665080191868a2ee023a99fb1d
    • Opcode Fuzzy Hash: 4764787995e349bb9ea31f7f8b0aa74bc4e5a5c03ca1513ccc3da135203540e3
    • Instruction Fuzzy Hash: F331C171A40209BEEB319F65EC45F9A7BBCEB04724F208365F611FE1D1C7B1A5828B54
    Function 00389DA1 Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 313 389da1-389df0 317 389e04-389e3b 313->317 318 389df6-389e03 313->318 321 389e3d 317->321 318->317 322 389e3f-389e43 321->322 323 389e55-389e62 321->323 325 389e88-389e8a 322->325 326 389e45-389e4d 322->326 324 389e64-389e84 323->324 333 389e91-389eaf CreateFileA call 389eb2 324->333 325->321 328 389e8d-389e8e 325->328 326->324 329 389e4e-389e54 call 389e5d 326->329 328->333 329->323
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00389EA5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b979886cbdc8c75b62346ae2e1c6ec09572474538c377459b2a2c5715572fcea
    • Instruction ID: e7f2680472a1dad5cde89cb2230d83c55c6e3a0e9778bd3f19634fbda8c92317
    • Opcode Fuzzy Hash: b979886cbdc8c75b62346ae2e1c6ec09572474538c377459b2a2c5715572fcea
    • Instruction Fuzzy Hash: D211D3A214D3816EE303EA605A507BA7F2DDBC3330B3944DBF841CA883D1941D59A335
    Function 00389DDF Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00389EA5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: debc51871dea46579a676e425b547cdc5f92a2223c1811fe81f0f818ca8f3fa9
    • Instruction ID: 0c9bb49ad3f2f04fe4d0a70c6bfeb491bc61451f5d0399b6719fb57a215ed7ae
    • Opcode Fuzzy Hash: debc51871dea46579a676e425b547cdc5f92a2223c1811fe81f0f818ca8f3fa9
    • Instruction Fuzzy Hash: 5111E3A21493856DE303EB605A607BA7F2DEBC3730B3844DBF441DA942E1552E595371
    Function 04A60548 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 04A61367
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d8ce99a823f52fb92e7d5a8adfff80e991b85ec544677bd21d95af120de47b14
    • Instruction ID: b0bf7d8764c2d4fd020a5da39861524017a824878794f64788c1da59fa32ffe5
    • Opcode Fuzzy Hash: d8ce99a823f52fb92e7d5a8adfff80e991b85ec544677bd21d95af120de47b14
    • Instruction Fuzzy Hash: 4021BEB1804389CFDB11CFAAC4857EEBFF4EF49324F15805AC095A7652D738AA45CBA1
    Function 003E8C49 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 003E8CF6
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: fbad45874191e147fbc066d394f707f6170352ed53f8011a040a747788b35d10
    • Instruction ID: 1903fd3dfc39a35733cecb8288e7e2d13963988952f1c15b6bf37e95c9d9801d
    • Opcode Fuzzy Hash: fbad45874191e147fbc066d394f707f6170352ed53f8011a040a747788b35d10
    • Instruction Fuzzy Hash: 3D11D671E0127D9FEB724B468C48FEBB77CEF25750F1181A5E809A60C5EF709D808AA0
    Function 04A60D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?,?,?,?,?,?,?,?,?,04A60CF3,000F003F), ref: 04A60DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 1944b6c0ab74f5445ea41f255aa34d76bd36dd1852f0c17a720d416ffe880654
    • Instruction ID: a6fe5b7309931ee3409ec61a8873474bb192362d78f67a54161401ee3b73c2f2
    • Opcode Fuzzy Hash: 1944b6c0ab74f5445ea41f255aa34d76bd36dd1852f0c17a720d416ffe880654
    • Instruction Fuzzy Hash: 512138B6C01209DFCB10CF99D885BDEFBF0EB88710F15821AD919AB244D774A941CFA4
    Function 04A60514 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?,?,?,?,?,?,?,?,?,04A60CF3,000F003F), ref: 04A60DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 49e405b406afb4d5c7a8e4b6ef500fda35c28835e054461ed7d051da3f0ce456
    • Instruction ID: 2a1388879c5f84a7b2b52f955bd3aae0bdfd6b7824444f60db1bc6723c2032e5
    • Opcode Fuzzy Hash: 49e405b406afb4d5c7a8e4b6ef500fda35c28835e054461ed7d051da3f0ce456
    • Instruction Fuzzy Hash: B52137B6C04209DFDB50DF99D884BDEFBF4EF88710F14821AE919AB245D774A540CBA4
    Function 04A6065C Relevance: 1.6, APIs: 1, Instructions: 57serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(00000000,00000001,?), ref: 04A61580
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 225a7754ad828e9a717f47559954bf7a6af8ba18d61cb6bec663f05c9111d9a3
    • Instruction ID: 6ac1d020242e31bf730d9f581af0d41607f0a0df3d547c15e7067f0bad16662d
    • Opcode Fuzzy Hash: 225a7754ad828e9a717f47559954bf7a6af8ba18d61cb6bec663f05c9111d9a3
    • Instruction Fuzzy Hash: 9D2106B19003499FDB10DF9AC484BDEFBF4EB48320F108429E519A7251D378AA44CFA5
    Function 04A61509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(00000000,00000001,?), ref: 04A61580
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 91740dd4c99e3c625b48aa81d715df095143cba0899a06c349b9b0a829a39da9
    • Instruction ID: b0d0716285b09df85fb3cc9118f8c5f1c543c2c2a94f90558546b57612d1967a
    • Opcode Fuzzy Hash: 91740dd4c99e3c625b48aa81d715df095143cba0899a06c349b9b0a829a39da9
    • Instruction Fuzzy Hash: E621D3B59003499FDB10CFAAD484BDEFBF4EB48320F108429E559A7250D778AA45CFA5
    Function 00389E89 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00389EA5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0a486c0ae8c95e19c81ddd10067024498c8401d62a761361ab18267d4e5ef941
    • Instruction ID: 932f37db6c440a07f0fe34fe3b8347656810cbfcd29f765cfeb1d2dd1977642e
    • Opcode Fuzzy Hash: 0a486c0ae8c95e19c81ddd10067024498c8401d62a761361ab18267d4e5ef941
    • Instruction Fuzzy Hash: F80124B61593955EE3139A7059203BA3F29CBE7330F3C04DAE881CA883C5581C969316
    Function 003E5DBC Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-120C5FEC), ref: 003E5E43
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: bc96d7d85c2c43d6f3a5f6a1906bdb9133095134b4ff55c055396a54d3cfd4fc
    • Instruction ID: 36d3d6ceb866baaa1008fbf86bf409b46dad89f28f235296d871d6845c59d5ca
    • Opcode Fuzzy Hash: bc96d7d85c2c43d6f3a5f6a1906bdb9133095134b4ff55c055396a54d3cfd4fc
    • Instruction Fuzzy Hash: D8115E3240059AFBCF135FA6DD09DDF3B6ABF84384B044611F901590A1C376DAB1EB61
    Function 04A605B0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 04A61367
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 0f6177bddaa790803ed98aa9bdcc13df200dd7e20551211073d2ea2bd706377b
    • Instruction ID: dd0d3bad6641a2d2d4814c28b5c42e46c31fe44faa89a99357f2d5514feb4ed7
    • Opcode Fuzzy Hash: 0f6177bddaa790803ed98aa9bdcc13df200dd7e20551211073d2ea2bd706377b
    • Instruction Fuzzy Hash: 661125B1900349CFDB10DF9AC444BEEBBF8EB48320F10846AD559A3650D778A944CFA5
    Function 003E5BA4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 3b1ba8ab27a8e6a3ffcf7fe6ac4c4fa2433ffee2d89bc3120abe38508bb3fc2d
    • Instruction ID: 0bcafcb07a2f19365fb276b9c80a162d7ca926644ca4c4484d97d9e34ad7650b
    • Opcode Fuzzy Hash: 3b1ba8ab27a8e6a3ffcf7fe6ac4c4fa2433ffee2d89bc3120abe38508bb3fc2d
    • Instruction Fuzzy Hash: 2A118E321006AAEACF17AFE6C959E9E3B75BF04348F244610F9014A0A1C775CAA5EB50
    Function 04A61301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 04A61367
    Memory Dump Source
    • Source File: 00000000.00000002.1517674030.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a60000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: cd23c05c919ed859434710f034356c3b2159d2f3f66d137de7562f29a370b9cf
    • Instruction ID: c5df8d03dffa1c9149e1a1c84e97e3f6dc05d27a9f3443eb172e88fa45b14684
    • Opcode Fuzzy Hash: cd23c05c919ed859434710f034356c3b2159d2f3f66d137de7562f29a370b9cf
    • Instruction Fuzzy Hash: 851113B18002498FDB10DF9AC484BDEBBF4EB48320F10842AD559A7650C778A544CFA5
    Function 00389C85 Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b6dbec79c795345218df0a50f5fbbaa16f24fc9482ae8f7680e42c2428d53a65
    • Instruction ID: 6327f3947200ca19ee046df9b9dfa2b6563bd00da0a8a2a029c69b1c7544b7e7
    • Opcode Fuzzy Hash: b6dbec79c795345218df0a50f5fbbaa16f24fc9482ae8f7680e42c2428d53a65
    • Instruction Fuzzy Hash: F5F0C2F314938A2DF743AF259D90BBE7BA8EB92760F25809BE400CA482D7951C459726
    Function 003E5488 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-120C5FEC,?,?,003E31B7,?,?,00000400,?,00000000,?,00000000), ref: 003E54F4
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 7d8991692b58ffe1f1913714c7c31b73cfaa7c9469d24be0a40b318df0e4a05e
    • Instruction ID: 50fb9b732f46323541a1f9d824037240256fd5757402b79d17e640e18185fcf9
    • Opcode Fuzzy Hash: 7d8991692b58ffe1f1913714c7c31b73cfaa7c9469d24be0a40b318df0e4a05e
    • Instruction Fuzzy Hash: 01F0193310459AEBCF175F96DC09E9E3B2ABF55348F108211FA02490A1D772D4A1EB60
    Function 00389E5D Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00389EA5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d5516e8d4e2d8d8f6c34c631712d4db890e2b1f8e2b050f55e2abee10954b01b
    • Instruction ID: 8d101462bdfda07facec27a779ad3367e6043067561a41bb8d8ba1691b032625
    • Opcode Fuzzy Hash: d5516e8d4e2d8d8f6c34c631712d4db890e2b1f8e2b050f55e2abee10954b01b
    • Instruction Fuzzy Hash: 37E092F62953193CF703EA505EA0BBF3A1DCBD2730F3444ABF801CA482C5941D962369
    Function 0038A0A7 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,0038A02A,00000003), ref: 0038A0C5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 47d875ec33fc6f1fc9125f5667e4952ff0337a5f1815f3285a710cc7e741e5c7
    • Instruction ID: 9498cfa10e8683a179f11d91a7c1a3eb27ba58d242f2152c9f0be6634c9e1874
    • Opcode Fuzzy Hash: 47d875ec33fc6f1fc9125f5667e4952ff0337a5f1815f3285a710cc7e741e5c7
    • Instruction Fuzzy Hash: 2AD097A218C24BADE7027A711C8038CB7049E00220F28004BA014CB0C3E0801C0A1747
    Function 0038A0B8 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,0038A02A,00000003), ref: 0038A0C5
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a7d9b5f4cadf906bacd897f91abe01e4f5c3a39674f095a1fc64fb542eb1af67
    • Instruction ID: ce110e7282205cd93ccab1a6403c8a7e9928405570a4485463ebdba59c5165c4
    • Opcode Fuzzy Hash: a7d9b5f4cadf906bacd897f91abe01e4f5c3a39674f095a1fc64fb542eb1af67
    • Instruction Fuzzy Hash: 6CC080731545662ED7127F759C5035EF720EB54220F265096E454DB5C3D1455C035745
    Function 003E0D06 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 418f701be3677f31005d82947ef55d61d7f8f4a2e194a5bbb80c9306e8e2c823
    • Instruction ID: a8a45274747329e4f2d81e10cf3eeeebc43f2858d95b52dbbc4ef37736fa3f22
    • Opcode Fuzzy Hash: 418f701be3677f31005d82947ef55d61d7f8f4a2e194a5bbb80c9306e8e2c823
    • Instruction Fuzzy Hash: 51012832A00159FFCF129FA5CC44DCEBB7AFF48340F004261A401A84A5E7729AA1DBA0
    Function 003E8873 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,003E886F,?,?,003E8575,?,?,003E8575,?,?,003E8575), ref: 003E8893
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: dcaa3a5c4f4efd9c1ab00f0bcdf7186e47c101a48b761f18d849e54cfe56511a
    • Instruction ID: 6387f6aa71a59c35de94d89d2ed89f58eadb649bd5bba94ef56f68fa5ab32f12
    • Opcode Fuzzy Hash: dcaa3a5c4f4efd9c1ab00f0bcdf7186e47c101a48b761f18d849e54cfe56511a
    • Instruction Fuzzy Hash: CFF081B1A00205EFD7258F05CD04B99BFA4FF45751F118065F88A9B591E77198C08B50
    Function 0020E874 Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0020E879
    Memory Dump Source
    • Source File: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: d2b4c888e3670fcf56b47ba2557714f78cc4db9515a6279291159499d5815ed9
    • Instruction ID: 39badb124ca4673b1cfcf02bc103f7a4f4afafade13a41be47fdf6a4453af5e0
    • Opcode Fuzzy Hash: d2b4c888e3670fcf56b47ba2557714f78cc4db9515a6279291159499d5815ed9
    • Instruction Fuzzy Hash: C5D05E3216874ADFCB441F60880D2BE3B60EF00722F200529F95285AC0D7711CA09A19
    Function 003E294E Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,003E09D4,?,?), ref: 003E2954
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: ccb89b781bd42d1b8eb96c56ec211b6d9d469530ed440b1052bb5809db461218
    • Instruction ID: 32049ba06794d372bdbb3adf8c9cb9c417bff646b94895b5fcd557ec6aada4e1
    • Opcode Fuzzy Hash: ccb89b781bd42d1b8eb96c56ec211b6d9d469530ed440b1052bb5809db461218
    • Instruction Fuzzy Hash: 62B09B310001187BCF417F51DD0584E7F6DBF51394740C110F5055C0618771D56097D1

    Non-executed Functions

    Function 003830C5 Relevance: 3.0, Strings: 2, Instructions: 548COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: _7~O$s;xo
    • API String ID: 0-3652046930
    • Opcode ID: 1d72e03fe16caeabcaa97286e2c25d2f4cf48a787d4309b09f94b7b91a7151f4
    • Instruction ID: d3a0da0ee6ab98bf0a05e61ceda6bae09ebd9eb7c08c93a6f3e60be4a3ee3c4e
    • Opcode Fuzzy Hash: 1d72e03fe16caeabcaa97286e2c25d2f4cf48a787d4309b09f94b7b91a7151f4
    • Instruction Fuzzy Hash: C3F15DF3A092045FE308AE3CED8577AB7DADBD4320F19863DE6C1C3748E97558058696
    Function 003E4C82 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • GetSystemTime.KERNEL32(?,-120C5FEC), ref: 003E4CB7
    • GetFileTime.KERNEL32(?,?,?,?,-120C5FEC), ref: 003E4CFA
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 6660b00abcb9bf39962c081fc509319242de3cfcbd3c1bd12f0b70fad7570787
    • Instruction ID: b5ea8dafaf512ae4712774ccf0e5e8607ee06c552ef8fa5ea10f49fc68ab0edb
    • Opcode Fuzzy Hash: 6660b00abcb9bf39962c081fc509319242de3cfcbd3c1bd12f0b70fad7570787
    • Instruction Fuzzy Hash: CE01283210009AFBCB269F6AED0CD9E7F36FFC5351B054221F4028A4A1C771D8A2EB60
    Function 00383000 Relevance: 3.0, Strings: 2, Instructions: 456COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: _7~O$s;xo
    • API String ID: 0-3652046930
    • Opcode ID: c70e675c06f9df73ac106ccee68400b73afaf25af56fb5b7430383d2cb076e4b
    • Instruction ID: 491f42c4b404fd6b460f54081640b21f15bbe5121e4548a4a7de0f4eb7ccf400
    • Opcode Fuzzy Hash: c70e675c06f9df73ac106ccee68400b73afaf25af56fb5b7430383d2cb076e4b
    • Instruction Fuzzy Hash: 58D16DF3A082045FE3046E3CED4667ABBE6EBD4320F26853DE6C5D3744F93594058696
    Function 003E5B40 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 003E5B87
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: e1a61ea4d1f214929182fbc5112461f7b0551366c9b0bf87df4cf4f50f235b97
    • Instruction ID: e0a8edb0cfe739bd37400e5389b97e1160d39cc80e8dc470b8c803eb631a1fc9
    • Opcode Fuzzy Hash: e1a61ea4d1f214929182fbc5112461f7b0551366c9b0bf87df4cf4f50f235b97
    • Instruction Fuzzy Hash: 32F01C3260164EFFCF02CFA4D94498D7BB1FF18348B108225F9159A690D375DA60EF80
    Function 00385C22 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: q
    • API String ID: 0-4110462503
    • Opcode ID: 8d9031b26ff5919030be9d2f99f8f03be0a34c5df549e4b4e87d29d6af46bb32
    • Instruction ID: 67d110944877461598f944c931263c5036559b4543d95b217ec3d38a3cee9cc1
    • Opcode Fuzzy Hash: 8d9031b26ff5919030be9d2f99f8f03be0a34c5df549e4b4e87d29d6af46bb32
    • Instruction Fuzzy Hash: 7951E3A285CBD26FCB138B3448795A2BFB1AE6B30431D45DFC4C14F1E3E2586156DB86
    Function 00215A80 Relevance: .3, Instructions: 322COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cca4c6bce0441d9a97d48100148832f506b08e7e0a822033802452505e41163f
    • Instruction ID: 48d877cde864d2744e11149b08bd680f540777f156edeae839fe34b30c3a1f2e
    • Opcode Fuzzy Hash: cca4c6bce0441d9a97d48100148832f506b08e7e0a822033802452505e41163f
    • Instruction Fuzzy Hash: 36B1AFB3E193A44FF3460A24CC643617B629B56310F1F41FACA889B3D7D97E5C099395
    Function 003917B4 Relevance: .2, Instructions: 191COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57a329db53cb8fb592f43127e951fc31e524e6875954c734a58a83110157bdee
    • Instruction ID: eebfbfdd36acb5192b0db97e7dde8947ebc30cce792f1e41d579dd6e3c3e88db
    • Opcode Fuzzy Hash: 57a329db53cb8fb592f43127e951fc31e524e6875954c734a58a83110157bdee
    • Instruction Fuzzy Hash: F26148A284C3C26FDB038B748875496BFB4AE5731071D85DFC4C29F5A3D214958AE382
    Function 00420E5B Relevance: .1, Instructions: 133COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ec07093f3a136d7655d929b26c133127d2ccf2eef70337cd18acf3b35331b0e2
    • Instruction ID: 0c42e3a1ebc68f3ba44ea9e0b3b4880f4ebfc221a635172ed483dbe55b542c55
    • Opcode Fuzzy Hash: ec07093f3a136d7655d929b26c133127d2ccf2eef70337cd18acf3b35331b0e2
    • Instruction Fuzzy Hash: 6541D6B264C624DFD3106E14A94123AF7E5FB94310FB74C2ED9C657302E2795893AB8B
    Function 00390602 Relevance: .1, Instructions: 114COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 95041c7c281846a2d67ce47c3c5db345c65141ced0faa542f69a928194d266e3
    • Instruction ID: 60c19bd337c3729312bf2342e89479cdeb94745f3b8a49cc85921797212939bb
    • Opcode Fuzzy Hash: 95041c7c281846a2d67ce47c3c5db345c65141ced0faa542f69a928194d266e3
    • Instruction Fuzzy Hash: 004115B250C610EFD705AF19D8816AAFBE5EF98710F164D2DE6C9C3614D7348450CB97
    Function 0039061C Relevance: .1, Instructions: 109COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d269f87064968460528e125581734f2662c46ba06c7931f42a8929ef6fbe54fb
    • Instruction ID: 8a9e1510e6253ab38c9b2449797c16d2eab170732be40a0db66826e693521f2e
    • Opcode Fuzzy Hash: d269f87064968460528e125581734f2662c46ba06c7931f42a8929ef6fbe54fb
    • Instruction Fuzzy Hash: CF4124B250C600EFE305BF29D8856AAFBE5EF98710F168D2DE6C983614D7748840CB87
    Function 00390638 Relevance: .1, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 632bf83870dc3014f3fc14923273ea29186be0e4fee10c658d5a9d19c26f8a09
    • Instruction ID: ea148126ae0c88243376c88af2ff4af18742a7a1dc496882ff253b92366c0181
    • Opcode Fuzzy Hash: 632bf83870dc3014f3fc14923273ea29186be0e4fee10c658d5a9d19c26f8a09
    • Instruction Fuzzy Hash: 1F3115B250C600EFE315AF19D8816AEFBE5EF98710F064D2DE6C993214D7348840CB87
    Function 003E41B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
      • Part of subcall function 003E5236: IsBadWritePtr.KERNEL32(?,00000004), ref: 003E5244
    • wsprintfA.USER32 ref: 003E41FE
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 003E42C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 73a3f86b9bc270c6252702d77ad2a4b229f3b7fcc1aa8e095e2a58168c8432c0
    • Instruction ID: 54332c41258721234ca601932c0c791d06709e46029d7bea23de095543009fc0
    • Opcode Fuzzy Hash: 73a3f86b9bc270c6252702d77ad2a4b229f3b7fcc1aa8e095e2a58168c8432c0
    • Instruction Fuzzy Hash: A031193190014AFBDF12DF95DD09EEEBB79FF88310F108525F611A61A0C7719A61EB90
    Function 003E4D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00CA18E4,00004020,00000000,-120C5FEC), ref: 003E4E76
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 2dcdc6e6b48f3ec78e5d8061bc24a4ffef47ffa198008adfd01d3d6cc215651f
    • Instruction ID: 9a4634c62f60b84c6c7c50c522e2a6115ed1934a19e79b3b4b095713f244781c
    • Opcode Fuzzy Hash: 2dcdc6e6b48f3ec78e5d8061bc24a4ffef47ffa198008adfd01d3d6cc215651f
    • Instruction Fuzzy Hash: 54318BB1900355EFCF268F55C848B9EBBB5FF88300F10861AE5566B690C3B0E6A5DB80
    Function 003E57E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E0B35: GetCurrentThreadId.KERNEL32 ref: 003E0B44
    • GetFileSize.KERNEL32(?,;1>,-120C5FEC,?,?,003E313B,?,00000000), ref: 003E5850
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1515901853.00000000003D7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000000.00000002.1515580059.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515598890.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515614232.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515629019.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515645104.0000000000216000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515738269.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515752422.000000000036E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.0000000000383000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515770263.000000000038F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515798468.0000000000397000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515810903.0000000000399000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515826510.00000000003AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515838910.00000000003AD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515855788.00000000003CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515871080.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515885998.00000000003CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515919716.00000000003E9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515938095.00000000003EC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515955626.00000000003F6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515973029.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1515988646.00000000003FA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516005284.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516021718.0000000000403000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516042612.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516062201.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516078524.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516096459.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516112856.0000000000419000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516132302.000000000042A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516149021.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516163273.0000000000439000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516178662.000000000043A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516192999.000000000043B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516211315.0000000000443000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.000000000049C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516252321.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516282962.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1516299472.00000000004B4000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_200000_file.jbxd
    Similarity
    • API ID: CurrentFileSizeThread
    • String ID: ;1>$;1>
    • API String ID: 94952809-3865957432
    • Opcode ID: a2ff095f400f7409da4fe084d71707186f7d5bcc794417fc1bca15a3cea86242
    • Instruction ID: 9a7ff9510fdc3def6589b1c412f0f00cf74ef505827297169fd382cabdcaac66
    • Opcode Fuzzy Hash: a2ff095f400f7409da4fe084d71707186f7d5bcc794417fc1bca15a3cea86242
    • Instruction Fuzzy Hash: 1B014C31601996EECB2BAF6AC808F9977B8FB40358F518726E4118A5E1C774E8D1CA60