Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565979
MD5:8d795116f27f70e8b4aba914ace93ca2
SHA1:574bee1fc44d913eeb64fedfb1f25dcd51f18983
SHA256:ab786f60075ddca4452dc133bc333368c8677507fe0e995f6a6a60f5a4053899
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8D795116F27F70E8B4ABA914ACE93CA2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 55%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085FC11 CryptVerifySignatureA,0_2_0085FC11
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1797071759.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008040890_2_00804089
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008040920_2_00804092
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080436A0_2_0080436A
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0085AC06 appears 34 times
Source: file.exe, 00000000.00000000.1789301459.0000000000676000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1941854994.0000000000FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F715D0 ChangeServiceConfigA,0_2_04F715D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 55%
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2871296 > 1048576
Source: file.exeStatic PE information: Raw size of ddrvpkgv is bigger than: 0x100000 < 0x2b6e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1797071759.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.670000.0.unpack :EW;.rsrc:W;.idata :W;ddrvpkgv:EW;zpbiafyp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2c8b76 should be: 0x2c7f40
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ddrvpkgv
Source: file.exeStatic PE information: section name: zpbiafyp
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804089 push 63F233F3h; mov dword ptr [esp], ebx0_2_0080415A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804089 push 5D523960h; mov dword ptr [esp], esp0_2_00804190
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811282 push 5123165Dh; mov dword ptr [esp], eax0_2_0081129C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811282 push 397F4C04h; mov dword ptr [esp], eax0_2_0081517C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080421D push ecx; mov dword ptr [esp], edi0_2_008042AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080421D push 2418C133h; mov dword ptr [esp], edx0_2_008042C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006833CA push 71AEC02Ah; mov dword ptr [esp], esp0_2_006844C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081287F push edi; mov dword ptr [esp], ebx0_2_00813500
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00817084 push 1F6E463Fh; mov dword ptr [esp], esi0_2_008171EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804092 push 63F233F3h; mov dword ptr [esp], ebx0_2_0080415A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804092 push 5D523960h; mov dword ptr [esp], esp0_2_00804190
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080F092 push 01B7D287h; mov dword ptr [esp], edx0_2_0080F3FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681077 push eax; mov dword ptr [esp], ecx0_2_0068170B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681077 push edx; mov dword ptr [esp], ebp0_2_0068374B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080509F push ebp; mov dword ptr [esp], 4551045Ch0_2_008050B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008110A8 push edx; mov dword ptr [esp], 7CEF4C40h0_2_008126A8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A0AB push ebx; ret 0_2_0081A0BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008110B6 push edx; mov dword ptr [esp], ecx0_2_00812573
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008120BA push ecx; mov dword ptr [esp], esi0_2_00813FB7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008070BC push 26FC5554h; mov dword ptr [esp], edi0_2_008070C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008170C9 push ebx; mov dword ptr [esp], ebp0_2_008170D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008130D6 push 4BB81CF8h; mov dword ptr [esp], ebp0_2_00814933
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF0D6 push 3403DFBFh; mov dword ptr [esp], eax0_2_008AF0DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF0D6 push edi; mov dword ptr [esp], esi0_2_008AF12E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080F0DC push ecx; mov dword ptr [esp], 76EF9A86h0_2_0080F36F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067C014 push 624EBBB6h; mov dword ptr [esp], edi0_2_0067C9CA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008080F6 push ecx; ret 0_2_00808105
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008110F8 push edi; mov dword ptr [esp], ecx0_2_008139B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008110F8 push 0B16DDEDh; mov dword ptr [esp], esp0_2_008139BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B001 push 33CB3B9Fh; mov dword ptr [esp], edi0_2_0081B04B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B001 push esi; mov dword ptr [esp], ebp0_2_0081B076
Source: file.exeStatic PE information: section name: entropy: 7.81079285253534

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804EFA second address: 804F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F04C0505470h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803F1D second address: 803F3E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04C0E49A6Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803F3E second address: 803F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803F44 second address: 803F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8043A0 second address: 8043A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8043A4 second address: 8043E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F04C0E49A71h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04C0E49A63h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8043E0 second address: 8043FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C0505466h 0x00000008 jbe 00007F04C0505466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ecx 0x00000012 push edi 0x00000013 jbe 00007F04C0505466h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807D5F second address: 807D87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04C0E49A67h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807DF3 second address: 807E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F04C0505468h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D3331h], ebx 0x00000027 movsx ecx, cx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F04C0505468h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 or dword ptr [ebp+122D1DE6h], esi 0x0000004c push eax 0x0000004d mov cx, si 0x00000050 pop edx 0x00000051 push A728C427h 0x00000056 push eax 0x00000057 push edx 0x00000058 je 00007F04C0505468h 0x0000005e push edi 0x0000005f pop edi 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E5F second address: 807E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E65 second address: 807E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E69 second address: 807EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 58D73C59h 0x00000012 push 00000003h 0x00000014 movzx edi, dx 0x00000017 push 00000000h 0x00000019 clc 0x0000001a push 00000003h 0x0000001c mov esi, eax 0x0000001e mov edi, dword ptr [ebp+122D2D2Dh] 0x00000024 push 9E576EE7h 0x00000029 jmp 00007F04C0E49A63h 0x0000002e add dword ptr [esp], 21A89119h 0x00000035 push eax 0x00000036 mov dword ptr [ebp+122D21A1h], edi 0x0000003c pop edx 0x0000003d lea ebx, dword ptr [ebp+1245DC84h] 0x00000043 jns 00007F04C0E49A57h 0x00000049 cld 0x0000004a mov edi, ebx 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F04C0E49A5Fh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807F50 second address: 807F7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+122D38E5h], esi 0x0000000f push 00000000h 0x00000011 mov edx, dword ptr [ebp+122D2AADh] 0x00000017 jp 00007F04C0505469h 0x0000001d sub ch, FFFFFFFFh 0x00000020 push EEF05F80h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807F7A second address: 807F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807F7E second address: 807F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807F88 second address: 808019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 110FA100h 0x00000011 mov dword ptr [ebp+122D3AE4h], eax 0x00000017 mov cx, bx 0x0000001a push 00000003h 0x0000001c call 00007F04C0E49A66h 0x00000021 mov ecx, dword ptr [ebp+122D2C99h] 0x00000027 pop edi 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D1DEEh], edx 0x00000030 pushad 0x00000031 mov dl, 83h 0x00000033 push edx 0x00000034 mov bl, al 0x00000036 pop edi 0x00000037 popad 0x00000038 push 00000003h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F04C0E49A58h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 mov cx, di 0x00000057 call 00007F04C0E49A59h 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808019 second address: 80801D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80801D second address: 80804C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F04C0E49A5Ch 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ebx 0x00000014 push eax 0x00000015 je 00007F04C0E49A56h 0x0000001b pop eax 0x0000001c pop ebx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80804C second address: 808050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808050 second address: 808061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808061 second address: 808093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C050546Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov si, ax 0x0000000d lea ebx, dword ptr [ebp+1245DC8Dh] 0x00000013 mov edx, dword ptr [ebp+122D2D7Dh] 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F04C050546Ch 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808134 second address: 80813A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80813A second address: 808166 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or dword ptr [ebp+122D1DB6h], edx 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D2CF1h] 0x00000019 push 8D3AFAF5h 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007F04C050546Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808166 second address: 808170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F04C0E49A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808170 second address: 8081AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 72C5058Bh 0x0000000f push edx 0x00000010 mov dword ptr [ebp+122D1D15h], eax 0x00000016 pop ecx 0x00000017 push 00000003h 0x00000019 jmp 00007F04C050546Ch 0x0000001e push 00000000h 0x00000020 push 00000003h 0x00000022 mov esi, dword ptr [ebp+122D2B99h] 0x00000028 push F3EE82C1h 0x0000002d push ebx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8081AA second address: 8081E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 xor dword ptr [esp], 33EE82C1h 0x0000000d mov dx, 5181h 0x00000011 mov esi, dword ptr [ebp+122D2D4Dh] 0x00000017 lea ebx, dword ptr [ebp+1245DC98h] 0x0000001d mov si, 8B99h 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 push esi 0x00000024 pushad 0x00000025 popad 0x00000026 pop esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F04C0E49A62h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8081E5 second address: 8081E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7100 second address: 7F7104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8274D8 second address: 82751E instructions: 0x00000000 rdtsc 0x00000002 je 00007F04C0505468h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F04C0505476h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007F04C0505475h 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F04C0505466h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7116 second address: 7F712A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F04C0E49A56h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827658 second address: 82765C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82765C second address: 827664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827664 second address: 827669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8277B2 second address: 8277B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827E33 second address: 827E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827E39 second address: 827E45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007F04C0E49A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82811B second address: 828149 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505474h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F04C050546Eh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 828149 second address: 82814D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82814D second address: 828151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 828151 second address: 82817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0E49A63h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jng 00007F04C0E49A56h 0x00000012 pop ecx 0x00000013 pushad 0x00000014 jp 00007F04C0E49A56h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BAF7 second address: 81BAFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BAFC second address: 81BB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007F04C0E49A56h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 jng 00007F04C0E49A56h 0x00000017 jmp 00007F04C0E49A5Ah 0x0000001c pop ecx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BB21 second address: 81BB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F04C0505474h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BB42 second address: 81BB46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829151 second address: 829155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829155 second address: 829159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829159 second address: 829177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F04C0505466h 0x0000000d jmp 00007F04C050546Ah 0x00000012 jnc 00007F04C0505466h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829177 second address: 82917D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82917D second address: 829181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E71F second address: 82E732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F04C0E49A5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FBCC second address: 82FBD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F04C0505466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8341D2 second address: 8341D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8341D6 second address: 8341DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834480 second address: 834484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834484 second address: 83448D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834600 second address: 834609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834609 second address: 834643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505477h 0x00000007 jmp 00007F04C050546Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F04C050546Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8349A4 second address: 8349B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C0E49A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8349B2 second address: 8349B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834B15 second address: 834B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836478 second address: 836489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F04C050546Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836489 second address: 83648D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8365C0 second address: 8365D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F04C0505466h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8366A4 second address: 8366AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8366AA second address: 8366AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8367A4 second address: 8367C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8368C1 second address: 8368C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8369ED second address: 8369F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04C0E49A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836AB9 second address: 836ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836ABF second address: 836AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836AC4 second address: 836ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836ACA second address: 836ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836ED5 second address: 836EEE instructions: 0x00000000 rdtsc 0x00000002 je 00007F04C050546Ch 0x00000008 jc 00007F04C0505466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8373C4 second address: 8373D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F04C0E49A56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8373D2 second address: 8373D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838234 second address: 83823E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F04C0E49A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8380FF second address: 838105 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838105 second address: 83810B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838309 second address: 838333 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C050546Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04C0505479h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8393ED second address: 8393F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F04C0E49A56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839E10 second address: 839EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C050546Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007F04C050547Eh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F04C0505468h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov si, 23FAh 0x0000002f push 00000000h 0x00000031 mov esi, dword ptr [ebp+122D2CFDh] 0x00000037 jmp 00007F04C0505478h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F04C0505468h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jc 00007F04C0505466h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839BB4 second address: 839BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839BBD second address: 839BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839BC1 second address: 839BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83A931 second address: 83A936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83A936 second address: 83A9E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d mov dword ptr [ebp+122D2E6Eh], edx 0x00000013 push esi 0x00000014 jmp 00007F04C0E49A64h 0x00000019 pop esi 0x0000001a popad 0x0000001b and esi, 7666F991h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F04C0E49A58h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d jmp 00007F04C0E49A64h 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007F04C0E49A58h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e mov edi, dword ptr [ebp+122D2B61h] 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push esi 0x00000068 jmp 00007F04C0E49A5Eh 0x0000006d pop esi 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83B563 second address: 83B56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83B56A second address: 83B56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CF5F second address: 83CF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0505477h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CF7A second address: 83CFC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A66h 0x00000007 jmp 00007F04C0E49A69h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F04C0E49A64h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E611 second address: 83E61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F04C0505466h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E61D second address: 83E626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E626 second address: 83E642 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C0505466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83F6F5 second address: 83F763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F04C0E49A5Dh 0x0000000e push eax 0x0000000f jmp 00007F04C0E49A5Ah 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D209Eh], edx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F04C0E49A58h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c pop esi 0x0000003d call 00007F04C0E49A5Ch 0x00000042 mov dword ptr [ebp+122D38ADh], ecx 0x00000048 pop esi 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83F49C second address: 83F4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F04C050546Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83F763 second address: 83F792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F04C0E49A61h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842320 second address: 842326 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842326 second address: 84232B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84232B second address: 84234B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F04C0505476h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842914 second address: 84291A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84291A second address: 84291E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845B93 second address: 845BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a pushad 0x0000000b jns 00007F04C0E49A56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845BA6 second address: 845BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843A7A second address: 843A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F04C0E49A5Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F04C0E49A58h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843A9A second address: 843AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848199 second address: 8481BE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04C0E49A62h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F04C0E49A62h 0x00000011 jl 00007F04C0E49A5Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8482F3 second address: 84832D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F04C0505478h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F04C0505474h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849F67 second address: 849F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84832D second address: 848331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849F6B second address: 849F75 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F04C0E49A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849F75 second address: 849FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F04C0505466h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 xor dword ptr [ebp+122D38C5h], eax 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F04C0505468h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jbe 00007F04C050546Ch 0x00000039 and edi, dword ptr [ebp+122D2BD9h] 0x0000003f push 00000000h 0x00000041 xor bh, 00000077h 0x00000044 xchg eax, esi 0x00000045 jmp 00007F04C0505475h 0x0000004a push eax 0x0000004b push ebx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849FDA second address: 849FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8483E6 second address: 8483F0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04C0505466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84BF99 second address: 84BF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D0D0 second address: 84D0E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C0505468h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D0E3 second address: 84D0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D0E7 second address: 84D0F1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04C0505466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D0F1 second address: 84D0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F04C0E49A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F047 second address: 84F04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85118F second address: 851219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F04C0E49A5Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F04C0E49A58h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov ebx, 05142BE1h 0x0000002f push 00000000h 0x00000031 mov ebx, ecx 0x00000033 push 00000000h 0x00000035 mov ebx, 7AA6630Ah 0x0000003a jnc 00007F04C0E49A5Bh 0x00000040 xchg eax, esi 0x00000041 push ebx 0x00000042 pushad 0x00000043 jmp 00007F04C0E49A65h 0x00000048 jnc 00007F04C0E49A56h 0x0000004e popad 0x0000004f pop ebx 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop eax 0x00000056 pushad 0x00000057 jnc 00007F04C0E49A56h 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E321 second address: 84E386 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bx, cx 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov dword ptr fs:[00000000h], esp 0x00000019 mov dword ptr [ebp+1248323Eh], eax 0x0000001f mov eax, dword ptr [ebp+122D09C1h] 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F04C0505468h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov di, C4DDh 0x00000043 push FFFFFFFFh 0x00000045 adc edi, 375525A0h 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F04C0505471h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E386 second address: 84E391 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8521B9 second address: 8521BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8521BD second address: 8521C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86547E second address: 865486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864BCF second address: 864BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864BD3 second address: 864BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864BD7 second address: 864C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0E49A65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d jmp 00007F04C0E49A69h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jo 00007F04C0E49A56h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865049 second address: 865069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F04C0505478h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865069 second address: 86506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86506F second address: 865075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865075 second address: 865080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865080 second address: 865084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865084 second address: 86508E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04C0E49A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DBBF second address: 86DBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DBC3 second address: 86DBC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DCBB second address: 86DCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DCBF second address: 86DCD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F04C0E49A61h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DDCB second address: 86DDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DDCF second address: 86DDE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DDE9 second address: 86DDEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8728FB second address: 8728FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8728FF second address: 872909 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C050546Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872909 second address: 872915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872915 second address: 872919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872919 second address: 87292F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04C0E49A56h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007F04C0E49A56h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87292F second address: 87294D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505474h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F04C0505466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87294D second address: 872965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A64h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872A93 second address: 872AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04C0505479h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872AB0 second address: 872AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872AB4 second address: 872ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872ABD second address: 872AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F04C0E49A70h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F04C0E49A60h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C14 second address: 872C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872D6F second address: 872D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872D73 second address: 872D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872D7E second address: 872D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872F07 second address: 872F28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F04C0505477h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872F28 second address: 872F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8730A6 second address: 8730AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8730AC second address: 8730B4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8730B4 second address: 8730C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04C050546Ch 0x00000008 jo 00007F04C0505466h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8730C6 second address: 8730CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8733AF second address: 8733B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87356B second address: 87356F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 876DA5 second address: 876DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879C69 second address: 879C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879C6D second address: 879C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F04C0505479h 0x0000000f jo 00007F04C0505466h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879C96 second address: 879C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879C9A second address: 879CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0505471h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879CB7 second address: 879CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0E49A63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 881304 second address: 88132D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505474h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F04C050546Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880402 second address: 880412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880412 second address: 880418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880836 second address: 88083A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FE35 second address: 87FE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880D9C second address: 880DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F04C0E49A56h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F04C0E49A56h 0x00000014 pop edx 0x00000015 pop esi 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880DB7 second address: 880DCF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F04C050546Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884D27 second address: 884D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884D2D second address: 884D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884D33 second address: 884D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884D38 second address: 884D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F04C0505474h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84095C second address: 81BAF7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04C0E49A5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F04C0E49A66h 0x00000012 call 00007F04C0E49A5Dh 0x00000017 jmp 00007F04C0E49A64h 0x0000001c pop edi 0x0000001d call dword ptr [ebp+122D29A3h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 push esi 0x00000027 pop esi 0x00000028 jmp 00007F04C0E49A5Ch 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841046 second address: 84104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841148 second address: 84114D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84179B second address: 841805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jno 00007F04C0505466h 0x0000000e pop edx 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D38C5h], eax 0x00000017 push 0000001Eh 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F04C0505468h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 nop 0x00000034 push edi 0x00000035 pushad 0x00000036 jnp 00007F04C0505466h 0x0000003c jmp 00007F04C0505479h 0x00000041 popad 0x00000042 pop edi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 je 00007F04C0505468h 0x0000004c push edx 0x0000004d pop edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AB6 second address: 841AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AC2 second address: 841AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jp 00007F04C0505466h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AD8 second address: 841B1B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04C0E49A5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F04C0E49A63h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F04C0E49A68h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841C60 second address: 81C5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+12465513h], esi 0x0000000f call dword ptr [ebp+122D32B0h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C5FA second address: 81C600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C600 second address: 81C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnp 00007F04C0505466h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885131 second address: 88515F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F04C0E49A66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F04C0E49A5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88515F second address: 885163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885163 second address: 885169 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885295 second address: 88529C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8855C7 second address: 8855DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04C0E49A5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8855DA second address: 885622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505477h 0x00000007 jns 00007F04C0505466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F04C050546Eh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 ja 00007F04C0505466h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jns 00007F04C0505466h 0x00000028 jmp 00007F04C050546Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885622 second address: 885632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F04C0E49A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885632 second address: 885636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8858E5 second address: 885907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A60h 0x00000007 jmp 00007F04C0E49A5Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A958 second address: 88A986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F04C0505466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F04C0505482h 0x00000012 jmp 00007F04C050546Bh 0x00000017 jmp 00007F04C0505471h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88AACA second address: 88AACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88AACE second address: 88AAEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505477h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADC6 second address: 88ADE1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04C0E49A56h 0x00000008 js 00007F04C0E49A56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jp 00007F04C0E49A56h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADE1 second address: 88ADE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADE6 second address: 88ADED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADED second address: 88ADF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADF5 second address: 88ADFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ADFE second address: 88AE3F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04C0505466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F04C0505471h 0x00000012 push ecx 0x00000013 jns 00007F04C0505466h 0x00000019 jmp 00007F04C0505478h 0x0000001e pop ecx 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88AE3F second address: 88AE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88AFD2 second address: 88AFD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B269 second address: 88B26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B26F second address: 88B273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B273 second address: 88B281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F04C0E49A56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B3B1 second address: 88B3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F04C0505466h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B902 second address: 88B90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B90A second address: 88B926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C050546Ah 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F04C050546Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B926 second address: 88B92A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B92A second address: 88B95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0505470h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F04C0505477h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B95F second address: 88B969 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04C0E49A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B969 second address: 88B981 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04C050546Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F04C0505466h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B981 second address: 88B985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A654 second address: 88A65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88E922 second address: 88E926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891D05 second address: 891D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F04C0505466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891D0F second address: 891D2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F04C0E49A5Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F04C0E49A56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891D2F second address: 891D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8915EB second address: 8915F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891762 second address: 89177B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505475h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8918BD second address: 8918CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8918CA second address: 8918CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891A0E second address: 891A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891A14 second address: 891A22 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04C0505466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891A22 second address: 891A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 896EDF second address: 896F2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F04C0505479h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F04C0505474h 0x00000018 popad 0x00000019 push edi 0x0000001a jmp 00007F04C050546Bh 0x0000001f push edx 0x00000020 pop edx 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 896467 second address: 89646D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8968B2 second address: 8968F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F04C050546Eh 0x0000000c jmp 00007F04C050546Bh 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F04C050546Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F04C050546Eh 0x0000001f jnl 00007F04C0505466h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8968F9 second address: 8968FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8968FD second address: 896903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AFF9 second address: 89B000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B51B second address: 89B521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B521 second address: 89B52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B52E second address: 89B533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B533 second address: 89B53D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04C0E49A5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A139B second address: 8A13C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007F04C0505478h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1545 second address: 8A1549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1549 second address: 8A154D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A154D second address: 8A1553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1553 second address: 8A155B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84161F second address: 841668 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F04C0E49A69h 0x00000010 push 00000004h 0x00000012 sub dword ptr [ebp+122D3B7Dh], esi 0x00000018 mov dword ptr [ebp+122D21A1h], edx 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F04C0E49A64h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841668 second address: 84166D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84166D second address: 841673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2233 second address: 8A2237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2237 second address: 8A2250 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04C0E49A63h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2250 second address: 8A225A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F04C0505466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A225A second address: 8A225E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A225E second address: 8A226E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F04C050546Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB15F second address: 8AB16B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04C0E49A5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92AB second address: 8A92DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F04C0505488h 0x0000000d jmp 00007F04C0505478h 0x00000012 jmp 00007F04C050546Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92DA second address: 8A92E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04C0E49A5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9462 second address: 8A946B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A946B second address: 8A9475 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F04C0E49A62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AABFE second address: 8AAC04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AAC04 second address: 8AAC0E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04C0E49A5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE7E7 second address: 8AE7F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04C050546Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE7F9 second address: 8AE7FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AEEA9 second address: 8AEEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF00F second address: 8AF015 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA6F9 second address: 7FA71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F04C0505466h 0x0000000a je 00007F04C0505466h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB8B2 second address: 8BB8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB8B8 second address: 8BB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC0D1 second address: 8BC0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 js 00007F04C0E49A56h 0x0000000d jnc 00007F04C0E49A56h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC0E5 second address: 8BC104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04C0505474h 0x00000008 js 00007F04C0505466h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC248 second address: 8BC24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC24C second address: 8BC278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F04C0505466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04C0505478h 0x00000013 ja 00007F04C0505466h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC278 second address: 8BC27E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC3CC second address: 8BC3D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCB91 second address: 8BCBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0E49A5Fh 0x00000009 pop edi 0x0000000a pop esi 0x0000000b push edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB309 second address: 8BB32B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0505478h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB32B second address: 8BB330 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB330 second address: 8BB336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C596D second address: 8C5973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C5973 second address: 8C5987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F04C050546Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C5987 second address: 8C59CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F04C0E49A62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F04C0E49A5Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F04C0E49A58h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F04C0E49A67h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C537F second address: 8C5383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C562D second address: 8C5633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C5633 second address: 8C5640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F04C0505466h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2270 second address: 8D2276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2276 second address: 8D2281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2281 second address: 8D2285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2285 second address: 8D228B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D228B second address: 8D2295 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F04C0E49A62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2295 second address: 8D229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D229B second address: 8D22AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007F04C0E49A56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D22AA second address: 8D22C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c je 00007F04C0505466h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D22C1 second address: 8D22CB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04C0E49A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D22CB second address: 8D22D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F04C0505466h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D22D7 second address: 8D22DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4CDE second address: 8D4CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04C0505477h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4CF9 second address: 8D4D09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F04C0E49A56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D09 second address: 8D4D2A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F04C0505466h 0x00000008 jng 00007F04C0505466h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F04C0505466h 0x0000001b jl 00007F04C0505466h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D2A second address: 8D4D42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A64h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D42 second address: 8D4D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D4C second address: 8D4D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D50 second address: 8D4D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04C0505476h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4D74 second address: 8D4D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C91 second address: 7F3C97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC42B second address: 8DC462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A5Bh 0x00000007 jp 00007F04C0E49A56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F04C0E49A61h 0x00000014 jp 00007F04C0E49A5Ch 0x0000001a popad 0x0000001b push esi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBE1D second address: 8DBE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04C0505472h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBF8C second address: 8DBF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8CA4 second address: 7F8CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8CAD second address: 7F8CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFDE1 second address: 8DFDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFDE5 second address: 8DFDEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7595 second address: 8E75B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F04C050546Bh 0x0000000d popad 0x0000000e pushad 0x0000000f jc 00007F04C0505466h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA3BF second address: 8EA3C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA3C3 second address: 8EA3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA3CD second address: 8EA3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA3D3 second address: 8EA423 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04C0505466h 0x00000008 jmp 00007F04C0505471h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F04C0505474h 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F04C0505466h 0x0000001d jmp 00007F04C0505478h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA423 second address: 8EA427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA427 second address: 8EA431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA431 second address: 8EA435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F2A2D second address: 8F2A33 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1445 second address: 8F144F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F144F second address: 8F1488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C050546Ah 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jno 00007F04C0505466h 0x00000010 jmp 00007F04C050546Ch 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jnl 00007F04C0505468h 0x0000001f jnc 00007F04C0505468h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1488 second address: 8F148E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1752 second address: 8F1758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1C04 second address: 8F1C0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F04C0E49A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1D74 second address: 8F1D7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1D7A second address: 8F1D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04C0E49A5Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1D93 second address: 8F1D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F71C2 second address: 8F71C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F71C6 second address: 8F71CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901F9C second address: 901FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901FA2 second address: 901FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007F04C0505466h 0x0000000e jc 00007F04C0505466h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90FDAA second address: 90FDB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04C0E49A5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91949B second address: 9194A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9194A0 second address: 9194AC instructions: 0x00000000 rdtsc 0x00000002 js 00007F04C0E49A5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91975F second address: 919763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 919763 second address: 919781 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F04C0E49A68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 919781 second address: 91978D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F04C050546Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91978D second address: 919796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91999B second address: 91999F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91999F second address: 9199A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9199A3 second address: 9199A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9199A9 second address: 9199AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9199AF second address: 9199F4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04C050547Ch 0x00000008 jmp 00007F04C0505471h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F04C0505472h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB7CC second address: 7EB7F4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F04C0E49A58h 0x00000008 jmp 00007F04C0E49A66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D74D second address: 91D758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D758 second address: 91D75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D75E second address: 91D762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D762 second address: 91D770 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04C0E49A5Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83921C second address: 839221 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67DE07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67B4F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67DE13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804089 rdtsc 0_2_00804089
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A607 sidt fword ptr [esp-02h]0_2_0081A607
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2724Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804089 rdtsc 0_2_00804089
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067B7D2 LdrInitializeThunk,0_2_0067B7D2
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: @pProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085ED53 GetSystemTime,GetFileTime,0_2_0085ED53

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe56%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1565979
Start date and time:2024-12-01 03:31:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.481658653707158
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'871'296 bytes
MD5:8d795116f27f70e8b4aba914ace93ca2
SHA1:574bee1fc44d913eeb64fedfb1f25dcd51f18983
SHA256:ab786f60075ddca4452dc133bc333368c8677507fe0e995f6a6a60f5a4053899
SHA512:bcb29613e2e94f8447a98a0dcc10a787b6fb47e1c0fa519c71ba831b6bca03a71f06dd69ee2617181cedfc73204a9b2fb9d2a339a4e4479b5f84a0f6317d016a
SSDEEP:49152:BT+VQCHZvVVc7EIgMQbsWkHWEYcSqv4ztz+eQAUe:BqmCHpVVc7EIgMQIWfEYcPvACB6
TLSH:E2D55B95E509B2CFD48F17B89427CE82A95D02B90B2648C3ED5D64BE7E73DC121FAC24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@,.. ...`....@.. ........................,.....v.,...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6c4000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F04C0B0ECAAh
xrstor [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200c38a17823232217e90171a36674d5e87False0.9331597222222222data7.81079285253534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ddrvpkgv0xa0000x2b80000x2b6e00d9e26cdf065275f788e08a3ed365a5a5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zpbiafyp0x2c20000x20000x600d4f21b8d211d2570de3f0d41f272c4afFalse0.544921875data4.7521517611951385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2c40000x40000x22009abb0f614658463d98bb9df9d0fa3c92False0.06537224264705882DOS executable (COM)0.7645916026587739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:21:32:11
Start date:30/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x670000
File size:2'871'296 bytes
MD5 hash:8D795116F27F70E8B4ABA914ACE93CA2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.6%
    Dynamic/Decrypted Code Coverage:5.3%
    Signature Coverage:1.8%
    Total number of Nodes:284
    Total number of Limit Nodes:13
    execution_graph 9499 85ecc1 9508 85ac06 GetCurrentThreadId 9499->9508 9502 85ed19 9504 85ed1e DuplicateHandle 9502->9504 9503 85ecdd 9503->9502 9505 85ed08 9503->9505 9507 85ed14 9504->9507 9510 85ca5e 9505->9510 9509 85ac1e GetCurrentProcess 9508->9509 9509->9502 9509->9503 9513 85ca88 9510->9513 9511 85cb1b 9511->9507 9513->9511 9514 85ca46 9513->9514 9517 85aab1 9514->9517 9518 85aac7 9517->9518 9519 85aae1 9518->9519 9521 85aa95 9518->9521 9519->9511 9524 85ca1f CloseHandle 9521->9524 9523 85aaa5 9523->9519 9525 85ca33 9524->9525 9525->9523 9526 4f710f0 9527 4f710f4 9526->9527 9530 85d95a 9527->9530 9528 4f71151 9531 85ac06 GetCurrentThreadId 9530->9531 9532 85d966 9531->9532 9533 85d98f 9532->9533 9534 85d97f 9532->9534 9537 85d994 CloseHandle 9533->9537 9535 85ca46 CloseHandle 9534->9535 9536 85d985 9535->9536 9536->9528 9537->9536 9538 85fe8d 9539 85ac06 GetCurrentThreadId 9538->9539 9540 85fe99 9539->9540 9541 85ff01 MapViewOfFileEx 9540->9541 9542 85feb2 9540->9542 9541->9542 9543 804089 LoadLibraryA 9544 80409b 9543->9544 9545 85c8c8 9546 85ac06 GetCurrentThreadId 9545->9546 9547 85c8d4 9546->9547 9548 85c8f2 9547->9548 9552 85b318 9547->9552 9550 85c923 GetModuleHandleExA 9548->9550 9551 85c8fa 9548->9551 9550->9551 9553 85b366 9552->9553 9554 85b329 9552->9554 9553->9548 9554->9553 9556 85b1b9 9554->9556 9557 85b1e6 9556->9557 9558 85b214 PathAddExtensionA 9557->9558 9559 85b22f 9557->9559 9566 85b2ec 9557->9566 9558->9559 9561 85b251 9559->9561 9568 85ae5a 9559->9568 9562 85ae5a lstrcmpiA 9561->9562 9561->9566 9567 85b29a 9561->9567 9562->9567 9563 85ae5a lstrcmpiA 9564 85b2c3 9563->9564 9565 85ae5a lstrcmpiA 9564->9565 9564->9566 9565->9566 9566->9554 9567->9563 9567->9564 9567->9566 9569 85ae78 9568->9569 9570 85ae8f 9569->9570 9572 85add7 9569->9572 9570->9561 9574 85ae02 9572->9574 9573 85ae4a 9573->9570 9574->9573 9575 85ae34 lstrcmpiA 9574->9575 9575->9573 9576 807ed0 9577 807e5e CreateFileA 9576->9577 9579 807ef5 9577->9579 9580 85f1d6 9582 85f1e2 9580->9582 9583 85ac06 GetCurrentThreadId 9582->9583 9584 85f1ee 9583->9584 9586 85f20e 9584->9586 9587 85f12d 9584->9587 9589 85f139 9587->9589 9590 85f14d 9589->9590 9591 85ac06 GetCurrentThreadId 9590->9591 9592 85f165 9591->9592 9600 85b36a 9592->9600 9595 85b318 2 API calls 9596 85f188 9595->9596 9597 85f190 9596->9597 9598 85f1bd GetFileAttributesA 9596->9598 9599 85f1ac GetFileAttributesW 9596->9599 9598->9597 9599->9597 9601 85b41e 9600->9601 9602 85b37e 9600->9602 9601->9595 9601->9597 9602->9601 9603 85b1b9 2 API calls 9602->9603 9603->9602 9604 85f550 9606 85f559 9604->9606 9607 85ac06 GetCurrentThreadId 9606->9607 9608 85f565 9607->9608 9609 85f5b5 ReadFile 9608->9609 9610 85f57e 9608->9610 9609->9610 9611 85c41d 9614 85c265 9611->9614 9617 85c2cc 9614->9617 9619 85c2d9 9617->9619 9620 85c2ef 9619->9620 9623 85ac06 GetCurrentThreadId 9620->9623 9630 85c2f7 9620->9630 9621 85c3c4 9650 85c104 9621->9650 9622 85c3d7 9626 85c3f5 LoadLibraryExA 9622->9626 9627 85c3e1 LoadLibraryExW 9622->9627 9624 85c319 9623->9624 9628 85b318 2 API calls 9624->9628 9629 85c39b 9626->9629 9627->9629 9631 85c32a 9628->9631 9630->9621 9630->9622 9631->9630 9632 85c358 9631->9632 9634 85bc44 9632->9634 9635 85bc60 9634->9635 9636 85bc6a 9634->9636 9635->9629 9654 85b497 9636->9654 9643 85bcba 9644 85bce7 9643->9644 9649 85bd1f 9643->9649 9664 85b675 9643->9664 9668 85b910 9644->9668 9647 85bcf2 9647->9649 9673 85b887 9647->9673 9649->9635 9677 85c456 9649->9677 9651 85c10f 9650->9651 9652 85c130 LoadLibraryExA 9651->9652 9653 85c11f 9651->9653 9652->9653 9653->9629 9655 85b4b3 9654->9655 9657 85b50c 9654->9657 9656 85b4e3 VirtualAlloc 9655->9656 9655->9657 9656->9657 9657->9635 9658 85b53d VirtualAlloc 9657->9658 9659 85b582 9658->9659 9659->9649 9660 85b5ba 9659->9660 9661 85b5e2 9660->9661 9662 85b5fb VirtualAlloc 9661->9662 9663 85b659 9661->9663 9662->9661 9662->9663 9663->9643 9665 85b690 9664->9665 9667 85b695 9664->9667 9665->9644 9666 85b6c8 lstrcmpiA 9666->9665 9666->9667 9667->9665 9667->9666 9669 85ba1c 9668->9669 9671 85b93d 9668->9671 9669->9647 9671->9669 9679 85b422 9671->9679 9687 85c533 9671->9687 9674 85b8b0 9673->9674 9675 85b8f1 9674->9675 9676 85b8c8 VirtualProtect 9674->9676 9675->9649 9676->9674 9676->9675 9712 85c462 9677->9712 9680 85c265 15 API calls 9679->9680 9682 85b435 9680->9682 9681 85b47b 9681->9671 9682->9681 9683 85b487 9682->9683 9685 85b45e 9682->9685 9684 85c456 2 API calls 9683->9684 9684->9681 9685->9681 9686 85c456 2 API calls 9685->9686 9686->9681 9689 85c53c 9687->9689 9690 85c54b 9689->9690 9692 85ac06 GetCurrentThreadId 9690->9692 9695 85c553 9690->9695 9691 85c580 GetProcAddress 9697 85c576 9691->9697 9693 85c55d 9692->9693 9694 85c56d 9693->9694 9693->9695 9698 85bf94 9694->9698 9695->9691 9699 85bfb3 9698->9699 9703 85c080 9698->9703 9700 85bff0 lstrcmpiA 9699->9700 9701 85c01a 9699->9701 9699->9703 9700->9699 9700->9701 9701->9703 9704 85bedd 9701->9704 9703->9697 9705 85beee 9704->9705 9706 85bf1e lstrcpyn 9705->9706 9711 85bf79 9705->9711 9708 85bf3a 9706->9708 9706->9711 9707 85b422 14 API calls 9709 85bf68 9707->9709 9708->9707 9708->9711 9710 85c533 14 API calls 9709->9710 9709->9711 9710->9711 9711->9703 9713 85c471 9712->9713 9715 85ac06 GetCurrentThreadId 9713->9715 9718 85c479 9713->9718 9714 85c4c7 FreeLibrary 9720 85c4ae 9714->9720 9716 85c483 9715->9716 9717 85c493 9716->9717 9716->9718 9721 85be44 9717->9721 9718->9714 9722 85bea7 9721->9722 9723 85be67 9721->9723 9722->9720 9723->9722 9725 85aa00 9723->9725 9726 85aa09 9725->9726 9727 85aa21 9726->9727 9729 85a9e7 9726->9729 9727->9722 9730 85c456 2 API calls 9729->9730 9731 85a9f4 9730->9731 9731->9726 9738 67e9c1 9739 67fa1a VirtualAlloc 9738->9739 9740 67fa37 9739->9740 9740->9740 9741 4f715d0 9742 4f715d4 ChangeServiceConfigA 9741->9742 9744 4f718da 9742->9744 9745 4f71510 9746 4f71514 ControlService 9745->9746 9748 4f7158f 9746->9748 9753 85fd2f 9755 85fd3b 9753->9755 9756 85fd53 9755->9756 9758 85fd7d 9756->9758 9759 85fc69 9756->9759 9761 85fc75 9759->9761 9762 85ac06 GetCurrentThreadId 9761->9762 9763 85fc88 9762->9763 9764 85fcc6 9763->9764 9765 85fd01 9763->9765 9768 85fca2 9763->9768 9764->9768 9769 85d340 9764->9769 9766 85fd06 CreateFileMappingA 9765->9766 9766->9768 9770 85d357 9769->9770 9771 85d3c0 CreateFileA 9770->9771 9772 85d454 9770->9772 9773 85d405 9771->9773 9772->9768 9773->9772 9774 85ca1f CloseHandle 9773->9774 9774->9772 9775 85c775 9777 85c781 9775->9777 9778 85c795 9777->9778 9780 85c7bd 9778->9780 9781 85c7d6 9778->9781 9783 85c7df 9781->9783 9784 85c7ee 9783->9784 9785 85c7f6 9784->9785 9786 85ac06 GetCurrentThreadId 9784->9786 9787 85c8a7 GetModuleHandleA 9785->9787 9788 85c899 GetModuleHandleW 9785->9788 9789 85c800 9786->9789 9792 85c82e 9787->9792 9788->9792 9790 85c81b 9789->9790 9791 85b318 2 API calls 9789->9791 9790->9785 9790->9792 9791->9790 9793 67b992 9794 67b995 9793->9794 9795 67b952 LdrInitializeThunk 9793->9795 9796 67eb50 9797 67f3a9 VirtualAlloc 9796->9797 9799 85f43d 9801 85f449 9799->9801 9802 85ac06 GetCurrentThreadId 9801->9802 9803 85f455 9802->9803 9805 85f475 9803->9805 9806 85f349 9803->9806 9808 85f355 9806->9808 9809 85f369 9808->9809 9810 85ac06 GetCurrentThreadId 9809->9810 9811 85f381 9810->9811 9812 85f396 9811->9812 9832 85f262 9811->9832 9816 85f39e 9812->9816 9824 85f307 IsBadWritePtr 9812->9824 9819 85f412 CreateFileA 9816->9819 9820 85f3ef CreateFileW 9816->9820 9817 85b318 2 API calls 9818 85f3d1 9817->9818 9818->9816 9821 85f3d9 9818->9821 9823 85f3df 9819->9823 9820->9823 9826 85cb5c 9821->9826 9825 85f329 9824->9825 9825->9816 9825->9817 9827 85cb69 9826->9827 9828 85cba2 CreateFileA 9827->9828 9831 85cc64 9827->9831 9829 85cbee 9828->9829 9830 85ca1f CloseHandle 9829->9830 9829->9831 9830->9831 9831->9823 9834 85f271 GetWindowsDirectoryA 9832->9834 9835 85f29b 9834->9835 9836 85c43e 9839 85c27e 9836->9839 9841 85c28a 9839->9841 9842 85c29f 9841->9842 9843 85c2cc 15 API calls 9842->9843 9844 85c2bd 9842->9844 9843->9844 9845 81287f 9846 8128b4 9845->9846 9847 8128c3 RegOpenKeyA 9846->9847 9848 8128ea RegOpenKeyA 9846->9848 9847->9848 9849 8128e0 9847->9849 9850 812907 9848->9850 9849->9848 9851 81294b GetNativeSystemInfo 9850->9851 9852 812956 9850->9852 9851->9852 9853 4f70d48 9854 4f70d4c OpenSCManagerW 9853->9854 9856 4f70ddc 9854->9856 9857 4f71308 9858 4f71349 ImpersonateLoggedOnUser 9857->9858 9859 4f71376 9858->9859

    Executed Functions

    Function 04F715D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 324 4f715d0-4f7165a 327 4f71693-4f716b5 324->327 328 4f7165c-4f71666 324->328 335 4f716b7-4f716c4 327->335 336 4f716f1-4f71712 327->336 328->327 329 4f71668-4f7166a 328->329 330 4f7168d-4f71690 329->330 331 4f7166c-4f71676 329->331 330->327 333 4f7167a-4f71689 331->333 334 4f71678 331->334 333->333 337 4f7168b 333->337 334->333 335->336 338 4f716c6-4f716c8 335->338 342 4f71714-4f7171e 336->342 343 4f7174b-4f7176d 336->343 337->330 340 4f716eb-4f716ee 338->340 341 4f716ca-4f716d4 338->341 340->336 344 4f716d6 341->344 345 4f716d8-4f716e7 341->345 342->343 346 4f71720-4f71722 342->346 353 4f7176f-4f7177c 343->353 354 4f717a9-4f717ca 343->354 344->345 345->345 347 4f716e9 345->347 348 4f71745-4f71748 346->348 349 4f71724-4f7172e 346->349 347->340 348->343 351 4f71732-4f71741 349->351 352 4f71730 349->352 351->351 355 4f71743 351->355 352->351 353->354 356 4f7177e-4f71780 353->356 362 4f71803-4f71825 354->362 363 4f717cc-4f717d6 354->363 355->348 357 4f717a3-4f717a6 356->357 358 4f71782-4f7178c 356->358 357->354 360 4f71790-4f7179f 358->360 361 4f7178e 358->361 360->360 364 4f717a1 360->364 361->360 369 4f71827-4f71834 362->369 370 4f71861-4f718d8 ChangeServiceConfigA 362->370 363->362 365 4f717d8-4f717da 363->365 364->357 367 4f717fd-4f71800 365->367 368 4f717dc-4f717e6 365->368 367->362 371 4f717ea-4f717f9 368->371 372 4f717e8 368->372 369->370 373 4f71836-4f71838 369->373 380 4f718e1-4f71920 370->380 381 4f718da-4f718e0 370->381 371->371 374 4f717fb 371->374 372->371 375 4f7185b-4f7185e 373->375 376 4f7183a-4f71844 373->376 374->367 375->370 378 4f71846 376->378 379 4f71848-4f71857 376->379 378->379 379->379 383 4f71859 379->383 384 4f71922-4f71926 380->384 385 4f71930-4f71934 380->385 381->380 383->375 384->385 387 4f71928-4f7192b call 4f7013c 384->387 388 4f71936-4f7193a 385->388 389 4f71944-4f71948 385->389 387->385 388->389 391 4f7193c-4f7193f call 4f7013c 388->391 392 4f7194a-4f7194e 389->392 393 4f71958-4f7195c 389->393 391->389 392->393 395 4f71950-4f71953 call 4f7013c 392->395 396 4f7195e-4f71962 393->396 397 4f7196c-4f71970 393->397 395->393 396->397 401 4f71964-4f71967 call 4f7013c 396->401 398 4f71972-4f71976 397->398 399 4f71980-4f71984 397->399 398->399 402 4f71978-4f7197b call 4f7013c 398->402 403 4f71986-4f7198a 399->403 404 4f71994 399->404 401->397 402->399 403->404 407 4f7198c-4f7198f call 4f7013c 403->407 409 4f71995 404->409 407->404 409->409
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04F718C8
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 40e1b725243e866a577fc563e745304cce237b44b1cb54c007b6a1eb2ee8541b
    • Instruction ID: 07879d01a0927b50b003714657769114b882f4331ae17a03b5c3f9e5f00a752c
    • Opcode Fuzzy Hash: 40e1b725243e866a577fc563e745304cce237b44b1cb54c007b6a1eb2ee8541b
    • Instruction Fuzzy Hash: 52C15B71D002599FDB10CFA8CE857AEBBB1BF44314F14852AE854A7384D778A89ACB81
    Function 00804089 Relevance: 1.6, APIs: 1, Instructions: 121libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 410 804089-80408d LoadLibraryA 411 80409b-80409d 410->411 412 8040a3 411->412 413 8040b8-804217 411->413 412->413
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: f7362f486ed175394eb2babe588d9713516ded38be25ce7e789f7b34b9c535ad
    • Instruction ID: fdd4b1e2680e18977e9ee4ea15daf21339f51ca617b1523ffb4ecb3962315646
    • Opcode Fuzzy Hash: f7362f486ed175394eb2babe588d9713516ded38be25ce7e789f7b34b9c535ad
    • Instruction Fuzzy Hash: 40317CF250C6049FE345AF68DCC27BABBE5FB58360F16492DEBC583240E63558448A87
    Function 0067B7D2 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 6e21470ffb38d08e7365c7ee9840f03f9999530929cf5d673f4c40498792a0b3
    • Instruction ID: e81adcc6b8fe6bd25ffdc58da78579ec4601997a4c185dba17be3fa6f22e2289
    • Opcode Fuzzy Hash: 6e21470ffb38d08e7365c7ee9840f03f9999530929cf5d673f4c40498792a0b3
    • Instruction Fuzzy Hash: 74E0C231108985DADF66DF70880179A761FDB41700F90A128FF199AE46CB2D0C12879A
    Function 0085C2D9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0085C3EA
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0085C3FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: d94d0fa1013dbf988b374bb1c6e9c1bd4fac2ddaed48ae5f8d40026b5a4d0e5a
    • Instruction ID: 82b455eb31f7019ffdd4fc82346f7297ce8eb604ac0ebef810452b7d980c56dd
    • Opcode Fuzzy Hash: d94d0fa1013dbf988b374bb1c6e9c1bd4fac2ddaed48ae5f8d40026b5a4d0e5a
    • Instruction Fuzzy Hash: D4317C3140420DEFCF259F54D908AAD7B75FF08356F108159FC05EA261C7719AA8EF96
    Function 0085C7DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 85c7df-85c7f0 call 85c143 40 85c7f6 37->40 41 85c7fb-85c804 call 85ac06 37->41 42 85c88f-85c893 40->42 48 85c838-85c83f 41->48 49 85c80a-85c816 call 85b318 41->49 44 85c8a7-85c8aa GetModuleHandleA 42->44 45 85c899-85c8a2 GetModuleHandleW 42->45 47 85c8b0 44->47 45->47 53 85c8ba-85c8bc 47->53 50 85c845-85c84c 48->50 51 85c88a call 85acb1 48->51 56 85c81b-85c81d 49->56 50->51 54 85c852-85c859 50->54 51->42 54->51 57 85c85f-85c866 54->57 56->51 58 85c823-85c828 56->58 57->51 59 85c86c-85c880 57->59 58->51 60 85c82e-85c8b5 call 85acb1 58->60 59->51 60->53
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0085C771,?,00000000,00000000), ref: 0085C89C
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0085C771,?,00000000,00000000), ref: 0085C8AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: f8e32ed8e33619f89a54c94e6fefaf782a8e3e35a0a063361851388b3470b249
    • Instruction ID: 37e3b9ba698b6bf85bf145354917d8ace1f988018a25dd57bc24ededd4fbe40d
    • Opcode Fuzzy Hash: f8e32ed8e33619f89a54c94e6fefaf782a8e3e35a0a063361851388b3470b249
    • Instruction Fuzzy Hash: 6F11FE3110470AEFEB24AF25C8497A97AB0FF04747F144635BC06D58D1C7B69998DE92
    Function 0085F139 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 85f139-85f147 65 85f14d-85f154 64->65 66 85f159 64->66 67 85f160-85f176 call 85ac06 call 85b36a 65->67 66->67 72 85f195 67->72 73 85f17c-85f18a call 85b318 67->73 75 85f199-85f19c 72->75 78 85f1a1-85f1a6 73->78 79 85f190 73->79 77 85f1cc-85f1d3 call 85acb1 75->77 82 85f1bd-85f1c0 GetFileAttributesA 78->82 83 85f1ac-85f1b8 GetFileAttributesW 78->83 79->75 84 85f1c6-85f1c7 82->84 83->84 84->77
    APIs
    • GetFileAttributesW.KERNELBASE(00FE1BC4,-11C55FEC), ref: 0085F1B2
    • GetFileAttributesA.KERNEL32(00000000,-11C55FEC), ref: 0085F1C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: aab067c29a8ad09024d669c8426e65559909a3cfc76970855d50f1638521c29d
    • Instruction ID: 521b1fca14cc75f9614e5539b2074e3a3da63d59086cae94f07a0802982ba449
    • Opcode Fuzzy Hash: aab067c29a8ad09024d669c8426e65559909a3cfc76970855d50f1638521c29d
    • Instruction Fuzzy Hash: 4301D170544A09FBDB22AF24C94979D7EB1FF1034BF604131EE06F5092C3B18E98EA86
    Function 0081287F Relevance: 4.6, APIs: 3, Instructions: 111registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 81287f-8128c1 87 8128c3-8128de RegOpenKeyA 85->87 88 8128ea-812905 RegOpenKeyA 85->88 87->88 89 8128e0 87->89 90 812907-812911 88->90 91 81291d-812949 88->91 89->88 90->91 94 812956-812960 91->94 95 81294b-812954 GetNativeSystemInfo 91->95 96 812962 94->96 97 81296c-81297a 94->97 95->94 96->97 99 812986-81298d 97->99 100 81297c 97->100 101 8129a0 99->101 102 812993-81299a 99->102 100->99 104 813e3c-813e43 101->104 102->101 103 8134ec-8134f3 102->103 105 8134f9-813923 103->105 106 81555e-8155a3 103->106 110 814073-81457b 104->110 105->104 105->110 112 8155a6 106->112 110->106 112->112
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 008128D6
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 008128FD
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00812954
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 0f3d91bf893938e9cb90a2f34e2d93ba4d940ca76625d1b80827cf5e0528d405
    • Instruction ID: b999a71b959aaba8224e4198fbba2161902db4c78806782879fc0852141a5457
    • Opcode Fuzzy Hash: 0f3d91bf893938e9cb90a2f34e2d93ba4d940ca76625d1b80827cf5e0528d405
    • Instruction Fuzzy Hash: 914136B240820FAFEB10DF64D858BEE7BA8FF15714F10042AAA41C6900D7768DA4DF59
    Function 0085B1B9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 114 85b1b9-85b1e9 116 85b314-85b315 114->116 117 85b1ef-85b204 114->117 117->116 119 85b20a-85b20e 117->119 120 85b214-85b226 PathAddExtensionA 119->120 121 85b230-85b237 119->121 127 85b22f 120->127 122 85b23d-85b24c call 85ae5a 121->122 123 85b259-85b260 121->123 128 85b251-85b253 122->128 125 85b266-85b26d 123->125 126 85b2a2-85b2a9 123->126 129 85b286-85b295 call 85ae5a 125->129 130 85b273-85b27c 125->130 131 85b2af-85b2c5 call 85ae5a 126->131 132 85b2cb-85b2d2 126->132 127->121 128->116 128->123 140 85b29a-85b29c 129->140 130->129 133 85b282 130->133 131->116 131->132 136 85b2f4-85b2fb 132->136 137 85b2d8-85b2ee call 85ae5a 132->137 133->129 136->116 139 85b301-85b30e call 85ae93 136->139 137->116 137->136 139->116 140->116 140->126
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0085B21B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 87f039b047cec4f7519838fb21de2c2308e6d30583e099e10f9151690bede459
    • Instruction ID: 47d94359e5a840c3e5fb21eb519368511960510b8cf64eef74a8333708e431a1
    • Opcode Fuzzy Hash: 87f039b047cec4f7519838fb21de2c2308e6d30583e099e10f9151690bede459
    • Instruction Fuzzy Hash: C9311735A0020ABFDF229F94D84AF9EBAB9FF18746F001161F901A50A0D7729969DF61
    Function 0080421D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 80421d-80421f LoadLibraryA 146 804232-804344 145->146 148 80434a-80436e 146->148 151 8042f0-8042f4 148->151 152 804370-804376 148->152 154 8042f6-804317 151->154 155 80431a-804344 151->155 152->148 153 804378-8043aa 152->153 157 8043b0-8043ca 153->157 158 8043cb-804400 153->158 154->155 155->148 157->158 164 804406-804407 158->164 165 804408-8044f3 158->165 164->165 166 8044f7 165->166 166->166
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 3}e
    • API String ID: 1029625771-516119999
    • Opcode ID: e21f17478b31b589e80c3575466164a8264775091c343d5c10f440226316aa28
    • Instruction ID: 925959754038f47629cda51d2b0a8c6f8f560080bcb7580ee26a50bae12213a7
    • Opcode Fuzzy Hash: e21f17478b31b589e80c3575466164a8264775091c343d5c10f440226316aa28
    • Instruction Fuzzy Hash: 3E3118B290C300EFD7156F18E8416BAFBE1EF98310F12491DE6D993250D73558509B8B
    Function 0085C8C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 167 85c8c8-85c8db call 85ac06 170 85c8e1-85c8ed call 85b318 167->170 171 85c91e-85c932 call 85acb1 GetModuleHandleExA 167->171 175 85c8f2-85c8f4 170->175 176 85c93c-85c93e 171->176 175->171 177 85c8fa-85c901 175->177 178 85c907 177->178 179 85c90a-85c937 call 85acb1 177->179 178->179 179->176
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0085C92C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 3100d507ab82a37f68b5db3a101953ab8545447ce484569c93de2463ac065e8d
    • Instruction ID: 723579f4ffc5f995f22cfbe9748ddfea5c8b13a224c70a4c4e2b2e5969bf45ad
    • Opcode Fuzzy Hash: 3100d507ab82a37f68b5db3a101953ab8545447ce484569c93de2463ac065e8d
    • Instruction Fuzzy Hash: 3FF09071100309AFDF109F58C98ABAA3BB1FF04342F508214FD05C9152C772C958AA62
    Function 0085F355 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 182 85f355-85f363 183 85f375 182->183 184 85f369-85f370 182->184 185 85f37c-85f388 call 85ac06 183->185 184->185 188 85f3a3-85f3b3 call 85f307 185->188 189 85f38e-85f398 call 85f262 185->189 195 85f3c5-85f3d3 call 85b318 188->195 196 85f3b9-85f3c0 188->196 189->188 194 85f39e 189->194 197 85f3e4-85f3e9 194->197 195->197 202 85f3d9-85f3da call 85cb5c 195->202 196->197 200 85f412-85f427 CreateFileA 197->200 201 85f3ef-85f40d CreateFileW 197->201 203 85f42d-85f42e 200->203 201->203 207 85f3df 202->207 204 85f433-85f43a call 85acb1 203->204 207->204
    APIs
    • CreateFileW.KERNELBASE(00FE1BC4,?,?,-11C55FEC,?,?,?,-11C55FEC,?), ref: 0085F407
      • Part of subcall function 0085F307: IsBadWritePtr.KERNEL32(?,00000004), ref: 0085F315
    • CreateFileA.KERNEL32(?,?,?,-11C55FEC,?,?,?,-11C55FEC,?), ref: 0085F427
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: a786b70020a2b3f845bc68821a4b5fe01e6adfd8ad52d2d57311217f2d14616c
    • Instruction ID: 723304d80669d8fda7b0d5657d30444ab52e7eee3e6171f0be5965bd633a4123
    • Opcode Fuzzy Hash: a786b70020a2b3f845bc68821a4b5fe01e6adfd8ad52d2d57311217f2d14616c
    • Instruction Fuzzy Hash: E911FC7110410AFBEF129F94DD09BDE3E62FF1434AF008125FE05945A2C7768AB9EB92
    Function 0085ECC1 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 209 85ecc1-85ecd7 call 85ac06 GetCurrentProcess 212 85ecdd-85ece0 209->212 213 85ed19-85ed3b call 85acb1 DuplicateHandle 209->213 212->213 214 85ece6-85ece9 212->214 219 85ed45-85ed47 213->219 214->213 216 85ecef-85ed02 call 85aa60 214->216 216->213 221 85ed08-85ed40 call 85ca5e call 85acb1 216->221 221->219
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • GetCurrentProcess.KERNEL32(-11C55FEC), ref: 0085ECCE
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0085ED34
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 18d594c162f05ca8f280311fc474495f215f93506dd43eb876d9c3e15da05160
    • Instruction ID: bd5226a31dd4441033099d1ea75f0fcba5cb5a68a487c52c3486bef9f93e61eb
    • Opcode Fuzzy Hash: 18d594c162f05ca8f280311fc474495f215f93506dd43eb876d9c3e15da05160
    • Instruction Fuzzy Hash: 6D016D3610010EBBCF2AAFA8CC45C9E3B76FF5438A7104615FD01D4011C736C66AEB62
    Function 04F715C4 Relevance: 1.8, APIs: 1, Instructions: 305COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 235 4f715c4-4f715c6 236 4f715cc-4f715ce 235->236 237 4f715c8 235->237 238 4f715d4-4f7165a 236->238 239 4f715d0-4f715d3 236->239 237->236 241 4f71693-4f716b5 238->241 242 4f7165c-4f71666 238->242 239->238 249 4f716b7-4f716c4 241->249 250 4f716f1-4f71712 241->250 242->241 243 4f71668-4f7166a 242->243 244 4f7168d-4f71690 243->244 245 4f7166c-4f71676 243->245 244->241 247 4f7167a-4f71689 245->247 248 4f71678 245->248 247->247 251 4f7168b 247->251 248->247 249->250 252 4f716c6-4f716c8 249->252 256 4f71714-4f7171e 250->256 257 4f7174b-4f7176d 250->257 251->244 254 4f716eb-4f716ee 252->254 255 4f716ca-4f716d4 252->255 254->250 258 4f716d6 255->258 259 4f716d8-4f716e7 255->259 256->257 260 4f71720-4f71722 256->260 267 4f7176f-4f7177c 257->267 268 4f717a9-4f717ca 257->268 258->259 259->259 261 4f716e9 259->261 262 4f71745-4f71748 260->262 263 4f71724-4f7172e 260->263 261->254 262->257 265 4f71732-4f71741 263->265 266 4f71730 263->266 265->265 269 4f71743 265->269 266->265 267->268 270 4f7177e-4f71780 267->270 276 4f71803-4f71825 268->276 277 4f717cc-4f717d6 268->277 269->262 271 4f717a3-4f717a6 270->271 272 4f71782-4f7178c 270->272 271->268 274 4f71790-4f7179f 272->274 275 4f7178e 272->275 274->274 278 4f717a1 274->278 275->274 283 4f71827-4f71834 276->283 284 4f71861-4f71867 276->284 277->276 279 4f717d8-4f717da 277->279 278->271 281 4f717fd-4f71800 279->281 282 4f717dc-4f717e6 279->282 281->276 285 4f717ea-4f717f9 282->285 286 4f717e8 282->286 283->284 287 4f71836-4f71838 283->287 291 4f71871-4f718d8 ChangeServiceConfigA 284->291 285->285 288 4f717fb 285->288 286->285 289 4f7185b-4f7185e 287->289 290 4f7183a-4f71844 287->290 288->281 289->284 292 4f71846 290->292 293 4f71848-4f71857 290->293 294 4f718e1-4f71920 291->294 295 4f718da-4f718e0 291->295 292->293 293->293 297 4f71859 293->297 298 4f71922-4f71926 294->298 299 4f71930-4f71934 294->299 295->294 297->289 298->299 301 4f71928-4f7192b call 4f7013c 298->301 302 4f71936-4f7193a 299->302 303 4f71944-4f71948 299->303 301->299 302->303 305 4f7193c-4f7193f call 4f7013c 302->305 306 4f7194a-4f7194e 303->306 307 4f71958-4f7195c 303->307 305->303 306->307 309 4f71950-4f71953 call 4f7013c 306->309 310 4f7195e-4f71962 307->310 311 4f7196c-4f71970 307->311 309->307 310->311 315 4f71964-4f71967 call 4f7013c 310->315 312 4f71972-4f71976 311->312 313 4f71980-4f71984 311->313 312->313 316 4f71978-4f7197b call 4f7013c 312->316 317 4f71986-4f7198a 313->317 318 4f71994 313->318 315->311 316->313 317->318 321 4f7198c-4f7198f call 4f7013c 317->321 323 4f71995 318->323 321->318 323->323
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04F718C8
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 914365a73387d12681746ebc7e632a27454a0f07c5dc3d49e982307cce761cb8
    • Instruction ID: aac2b44223010386b65ead0c9254362682e837bfef50ca1c9d0c83c53fd62061
    • Opcode Fuzzy Hash: 914365a73387d12681746ebc7e632a27454a0f07c5dc3d49e982307cce761cb8
    • Instruction Fuzzy Hash: D1C16C70D002599FDB10CFA8CE857AEBBF1BF44314F14852AE855A7384D778A89ACB81
    Function 0080810A Relevance: 1.6, APIs: 1, Instructions: 105fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 415 80810a-808119 416 808134-80815a 415->416 417 80811f 415->417 419 808160 416->419 420 808166-808212 CreateFileA call 808215 416->420 417->416 419->420
    APIs
    • CreateFileA.KERNELBASE(?,F3EE82C1,00000003,00000000,00000003), ref: 00808208
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: eca7e3dc9ea22d117cc8db07be1f04cf32b0e6bf559fd0000d61a9ea5b42e9dd
    • Instruction ID: f4774c8934005c3a374e4c6ba4fe0410a5b257346c90436991bfa0b2888a5851
    • Opcode Fuzzy Hash: eca7e3dc9ea22d117cc8db07be1f04cf32b0e6bf559fd0000d61a9ea5b42e9dd
    • Instruction Fuzzy Hash: 2A21F2F728C216BDF380CA946E11AFB7B6DEBC2730F30842AF441D2482E7964D4A5234
    Function 00808124 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 427 808124-808125 428 808127-808153 427->428 429 808158-80815a 427->429 428->429 430 808160 429->430 431 808166-808212 CreateFileA call 808215 429->431 430->431
    APIs
    • CreateFileA.KERNELBASE(?,F3EE82C1,00000003,00000000,00000003), ref: 00808208
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0a368d75ff8cd1444a9db188f0770e44d180f5d4815798ea9ff3612f36202014
    • Instruction ID: c469dedf90f796cbe448bbd32fc790a1395b423fa05e0cd1c5a864673ad6e67e
    • Opcode Fuzzy Hash: 0a368d75ff8cd1444a9db188f0770e44d180f5d4815798ea9ff3612f36202014
    • Instruction Fuzzy Hash: D321D6F614C616BEF741CA946E15AFB7B6DFB82330F30442AF481D64C2E7960D465274
    Function 0085D340 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0085D3F5
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1c73cc4419b4c5a80deba9bf67953f5028fe6a953cf208eac9de2ed9831b8b94
    • Instruction ID: 8fb89ead9f6aae63775f9f7ef09ccfb8a1e302eaf85b3f0e4a1a59c10f7933c4
    • Opcode Fuzzy Hash: 1c73cc4419b4c5a80deba9bf67953f5028fe6a953cf208eac9de2ed9831b8b94
    • Instruction Fuzzy Hash: 3D316A71500308FBEB209FA4DC85F9EBBB8FB44315F20826AFD05EA191D772A959CB11
    Function 00808014 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00808010), ref: 008080B9
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b4f609e004a4b5cdf010cf50e6b709851ae3c309908c0023f66482f4894d5f15
    • Instruction ID: 14781a307da8fb85c7cdd5346c44a55f987ee35fc390778d4e618566ffd43c47
    • Opcode Fuzzy Hash: b4f609e004a4b5cdf010cf50e6b709851ae3c309908c0023f66482f4894d5f15
    • Instruction Fuzzy Hash: 891103EB18D645BDF292C6542E649FBABBCF6C2374730846BF4C1C2083E9A40D8D5631
    Function 0085CB5C Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0085CBDE
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b7609d67dca6a253520551b9c52db390aeb266a3ea2c4ada47277bc30dab0da3
    • Instruction ID: d9138d89849f6e693042f1d7fdcfc50ad9f6671e1c88a13d1f13994c07d5fd83
    • Opcode Fuzzy Hash: b7609d67dca6a253520551b9c52db390aeb266a3ea2c4ada47277bc30dab0da3
    • Instruction Fuzzy Hash: 7931C371600305BFEB209F68DC45F997BB8FF04725F204259FA19EA1D1C7B2A9598F11
    Function 0080802C Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00808010), ref: 008080B9
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b62e9ba88ac9aae9d04d1b8ff4e69338f64ae03cf0ed1bb361db7332a7bff795
    • Instruction ID: 33a27bf7ab9d5248079a30b038bf37bb9e8cb36a3da8e74edf89bb556e8e14a3
    • Opcode Fuzzy Hash: b62e9ba88ac9aae9d04d1b8ff4e69338f64ae03cf0ed1bb361db7332a7bff795
    • Instruction Fuzzy Hash: 4F0126B7088609ADE392CA546E949FA7BBCF9C23747344466F0C5C3183D9A50ECE5631
    Function 008081D8 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,F3EE82C1,00000003,00000000,00000003), ref: 00808208
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: be43fbacc9161b3aaa959440bf9ffff38bf7a0c27b68edfa808e49442d8aecbb
    • Instruction ID: 4d6a9d948ec7d30e767033f4db22dc8b4f6ccfa92610dd4828a0fe670bdf4892
    • Opcode Fuzzy Hash: be43fbacc9161b3aaa959440bf9ffff38bf7a0c27b68edfa808e49442d8aecbb
    • Instruction Fuzzy Hash: 21F049F71CC1167DF20195986E099FBBF6EF983370B304029F441D2883E6860D0A6130
    Function 00807E3E Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00807EEB
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 7d1d3ae60646c8071424afc66ea1bc88c8f20870e473cd90d86c401ff2d788f3
    • Instruction ID: 6c07e0a4dbb43d28e62fffc093520e9736f81be8918bb8f7a8fec4dff0e57ec5
    • Opcode Fuzzy Hash: 7d1d3ae60646c8071424afc66ea1bc88c8f20870e473cd90d86c401ff2d788f3
    • Instruction Fuzzy Hash: 4A018CBB64C2197EF3418A04AE10BBB77ADEBC4B30F2184BAF940D2581D2915D4A4270
    Function 04F70D41 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04F70DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: d8a1ba4dd4604c9152a6473bc9cb14a56546f4443b4e7dc3a80d18c8de64cdbf
    • Instruction ID: 356b7e17c5c8aa7f39adea639ae0a5524678ad61a220af27be21444d86b26e1f
    • Opcode Fuzzy Hash: d8a1ba4dd4604c9152a6473bc9cb14a56546f4443b4e7dc3a80d18c8de64cdbf
    • Instruction Fuzzy Hash: 722138B6C00218DFCB50CF99D884BDEFBF4EF88320F14852AD808AB204DB34A541CBA4
    Function 0080818E Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,F3EE82C1,00000003,00000000,00000003), ref: 00808208
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f4abdf0562b2f7083b40be4ecb7f7063adc2a94162ba1148871d395e0985759f
    • Instruction ID: ae9f1f27cb40d94b07f78646790d6215c61a1bcf6b2765b05f5357add53a5492
    • Opcode Fuzzy Hash: f4abdf0562b2f7083b40be4ecb7f7063adc2a94162ba1148871d395e0985759f
    • Instruction Fuzzy Hash: BF0126F708C2157EF2418A986E54AFBBF6EFA833747304029F441D68C3EB8A5A095170
    Function 04F70D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04F70DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: ff7478b9a91c0f53f2e2eb9b160eab7c93fdeb83a397e9e0489db45937632e81
    • Instruction ID: 0b8acd420c4e34e20a1de2540270d64c16abffa23d494989b5c97f9716837bc8
    • Opcode Fuzzy Hash: ff7478b9a91c0f53f2e2eb9b160eab7c93fdeb83a397e9e0489db45937632e81
    • Instruction Fuzzy Hash: 862115B6C01218DFCB50CF99D884ADEFBF4EF88720F14852AD908AB204DB74A541CBA4
    Function 00807ED0 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00807EEB
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8c5af8c4c66780fb2b83e892c935e88a834f5eb19619a84e11f359cac181fbd4
    • Instruction ID: 98918415298c3c500028257ebc5b7721c492633905ef2708e3cbbc79376c5221
    • Opcode Fuzzy Hash: 8c5af8c4c66780fb2b83e892c935e88a834f5eb19619a84e11f359cac181fbd4
    • Instruction Fuzzy Hash: E001B1B764D219AEF341CA149D00BBB77A9FBC0B30F3184BAF440C7582C3A16D468270
    Function 04F71509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04F71580
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 143c77a4d160cc9731c8126613bae994c92cbef4813e6bd0bafcf802bbd8f872
    • Instruction ID: 0a207e5d813d5f2c07cfaeec88a7a276e5e3494d59cfe7eea3b79cf8439b64a5
    • Opcode Fuzzy Hash: 143c77a4d160cc9731c8126613bae994c92cbef4813e6bd0bafcf802bbd8f872
    • Instruction Fuzzy Hash: DE2103B5D00249DFDB20CF9AC584BDEFBF4AB48324F10842AE559A7350D378AA45CFA5
    Function 04F71510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04F71580
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 4a60a1730d67fcc70cf4e4fb0ec949361d97929027bb3f5a8573394e79b97437
    • Instruction ID: cc970891fd96bee589ca41de78486f1d2b8a6b964975512c12f33c210535c074
    • Opcode Fuzzy Hash: 4a60a1730d67fcc70cf4e4fb0ec949361d97929027bb3f5a8573394e79b97437
    • Instruction Fuzzy Hash: D711D3B5900249DFDB10CF9AC584BDEFBF4AB48320F14842AE559A7250D378A645CFA5
    Function 00811282 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 5c9c06a7c8f56b7bd1c46b3ecff08a70e35bc6f3c7d1909e9f52639a6d2fdae0
    • Instruction ID: 4a7e5f4e44ffb41f3dc1b9d09c6ad69628477222a2937583a213488fe5e6522e
    • Opcode Fuzzy Hash: 5c9c06a7c8f56b7bd1c46b3ecff08a70e35bc6f3c7d1909e9f52639a6d2fdae0
    • Instruction Fuzzy Hash: B901F5F3508709AFE3005EB9DCCA53A7BD8EF44614F15063DF192DA780F56599428F02
    Function 0085FE8D Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11C55FEC), ref: 0085FF14
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 2ab829f7e1b722a7d45d84a03512bd3ab2048310c76e6d530ae35e9b8b8788df
    • Instruction ID: 727c65efb29738716d7f817f2b93d901b90ac643f9eb926d20272927295d995f
    • Opcode Fuzzy Hash: 2ab829f7e1b722a7d45d84a03512bd3ab2048310c76e6d530ae35e9b8b8788df
    • Instruction Fuzzy Hash: 7711BA3210010EEBCF129FA8DD4AC9E3A66FF59346B504521FE01D5462CB36C97AEB62
    Function 0085FC75 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: af067d0bf11b0d384c5842f1e4078c432250471ab316bff45d7d0b14539eb5da
    • Instruction ID: 5da56561426a2bc5c4df291d22929550937630584a6e7e11d61af49c6c8b8a7d
    • Opcode Fuzzy Hash: af067d0bf11b0d384c5842f1e4078c432250471ab316bff45d7d0b14539eb5da
    • Instruction Fuzzy Hash: E411257150010EEBCF129F98C949E9E7B75FF44346F048125FE01C6166D735CA69EB52
    Function 04F71301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04F71367
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 9117c1e5847ee7efeb2dd63a4e44ca8720cf647919401745fd81b14989a27a53
    • Instruction ID: 932b206f3550631e3dab1d5bd6514286b81f48b31b4fb1d51df2195a4cad7308
    • Opcode Fuzzy Hash: 9117c1e5847ee7efeb2dd63a4e44ca8720cf647919401745fd81b14989a27a53
    • Instruction Fuzzy Hash: 4F1155B1800249CFDB10CFAAD585BDEFBF4EF48320F24846AD558A3250D778A585CFA5
    Function 04F71308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04F71367
    Memory Dump Source
    • Source File: 00000000.00000002.1943381492.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f70000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 7fa7cc2790c1e06dfb113f64533400b9fa4338cd7509ec4ecd507b1cc68504b6
    • Instruction ID: 72c4e6807575e6c5dcd16f17225e464ee9fc83d1bc4a106c9b4b7004ec726050
    • Opcode Fuzzy Hash: 7fa7cc2790c1e06dfb113f64533400b9fa4338cd7509ec4ecd507b1cc68504b6
    • Instruction Fuzzy Hash: 7C1145B1800249CFDB10CF9AC944BDEFBF8EB48320F24846AD558A3350D778A984CFA5
    Function 00808069 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00808010), ref: 008080B9
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8d00e72de000553a431f5f36faf776fbfff3f5ae7abc7904fb413059c647eda4
    • Instruction ID: cb5250144bf81e3d9a3c5d198ce28e781ec35e5c533795423d03fbfb470f096e
    • Opcode Fuzzy Hash: 8d00e72de000553a431f5f36faf776fbfff3f5ae7abc7904fb413059c647eda4
    • Instruction Fuzzy Hash: 4AF05066088B4ACEC796CB281D681E8BFA4FD412747180496C4C4D7193DC6509DE4B25
    Function 00807E70 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00807EEB
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f3a0e3e9f12e2f00ce90cfb0ffcf798660baf9bff8ea3acc7fe76a187b709a02
    • Instruction ID: 47afffc17751763d51013bfa7f503a541ef71a8e3a83515e58a84414834456ba
    • Opcode Fuzzy Hash: f3a0e3e9f12e2f00ce90cfb0ffcf798660baf9bff8ea3acc7fe76a187b709a02
    • Instruction Fuzzy Hash: 9FF062BB64C319AEF7418E049D50B7E73A5EBC0B30F31857AF940D75C1D2A15D054660
    Function 0085F559 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11C55FEC,?,?,0085D288,?,?,00000400,?,00000000,?,00000000), ref: 0085F5C5
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 77591c8cb4fee77ac68a8c6b7d7a24b65acca66bf95a349e836a60fa7b57bc79
    • Instruction ID: 8d0227e03560d524f4704c18cc344ba0aa4581610ebf187ab2e48ed4f1c7f4ea
    • Opcode Fuzzy Hash: 77591c8cb4fee77ac68a8c6b7d7a24b65acca66bf95a349e836a60fa7b57bc79
    • Instruction Fuzzy Hash: ADF03C7210010EBBCF129F98CD45D8E3F66FF44346B408121FE06D5022D732CAA9EBA2
    Function 00807EA4 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00807EEB
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 82ea2a9b5eaf20fca71f32a35292b741d22b3bf6a972a00759ddc8752c34511a
    • Instruction ID: d189c1ba58db9a87c78dd37a9c6401d11d267d74005903e406e1648b1782d991
    • Opcode Fuzzy Hash: 82ea2a9b5eaf20fca71f32a35292b741d22b3bf6a972a00759ddc8752c34511a
    • Instruction Fuzzy Hash: 2DE09BB754D21B6DF701DE148D40ABF7758FBD5734B218479E840D3581D5605D4B0534
    Function 0085ADD7 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: ccfaa0e078c528b1921664ca04b56ffa55fc359f4c506aaa611dc0b6ce665cd4
    • Instruction ID: c9be6a061bc9efaeb9c8357e28659fa3a456c3a7306c4a92ef122335faaf303c
    • Opcode Fuzzy Hash: ccfaa0e078c528b1921664ca04b56ffa55fc359f4c506aaa611dc0b6ce665cd4
    • Instruction Fuzzy Hash: 61010471A00109FBCF219FA4DC05D8EBB76FF49742F0042A1B801A40A0E7329665DB65
    Function 0067EB50 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0067F8C1
    Memory Dump Source
    • Source File: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 568b2cc0ae9b60ec9c731f382bba179718ec3f7b1f003c34bc831bdf01d5c585
    • Instruction ID: 456f91588e7fae1907f4026c4fe797dcfde9d0519600bf5ac02cc7db100345ef
    • Opcode Fuzzy Hash: 568b2cc0ae9b60ec9c731f382bba179718ec3f7b1f003c34bc831bdf01d5c585
    • Instruction Fuzzy Hash: 3EF090BA94C1148BD704AF68C8D0B7ABBE1EF14300F1A852C9EC593750D6391D208783
    Function 0085D95A Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • CloseHandle.KERNELBASE(0085D31D,-11C55FEC,?,?,0085D31D,?), ref: 0085D998
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 49c40376b7cbfdcec763b70275b966afb17683532ad6ed6b87dc3f293ad50a07
    • Instruction ID: 4f237590e4efcf522e57b5a570e1e9519c98eca4ed7ca8a41a0f420024970277
    • Opcode Fuzzy Hash: 49c40376b7cbfdcec763b70275b966afb17683532ad6ed6b87dc3f293ad50a07
    • Instruction Fuzzy Hash: 18E04FB220460ABBCB217B7DC989E5E2EA8FFC07567504221BC06C5046DA66C59AD623
    Function 0067E9C1 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0067FA25
    Memory Dump Source
    • Source File: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 9368145f2dbb1b490a45533a1f0f1410789e1648871522339c2be28288ff2816
    • Instruction ID: 2010e527cef26773b4faa83fa639b5976079f2d85cbec8cf9a6de8c33068a9e8
    • Opcode Fuzzy Hash: 9368145f2dbb1b490a45533a1f0f1410789e1648871522339c2be28288ff2816
    • Instruction Fuzzy Hash: 57D0677950C649CFDB00AF64D0486AD7BB0EF04312F114A18EDA68BB90D7360C71CE5A
    Function 0085CA1F Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0085AAA5,?,?), ref: 0085CA25
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: aad60c80d5cebea79286668f089d866ed58b3f11c33f7a6d5cc2442ebfec0e06
    • Instruction ID: 958364c80b920d10270924ad3d86c3bc9a86b141486a409257324dbc23a8e916
    • Opcode Fuzzy Hash: aad60c80d5cebea79286668f089d866ed58b3f11c33f7a6d5cc2442ebfec0e06
    • Instruction Fuzzy Hash: D6B09B310046097FCB017F55DC05C4D7F65FF113597118111F905450618773D5749B91

    Non-executed Functions

    Function 0085ED53 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
    • GetSystemTime.KERNEL32(?,-11C55FEC), ref: 0085ED88
    • GetFileTime.KERNEL32(?,?,?,?,-11C55FEC), ref: 0085EDCB
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: f9fcf72055b489bbb4723a9478c6fa3bd5d62e693268b4ee03dc28722a4d9db2
    • Instruction ID: d8f050217877915fd00f7e616195b8d054e35bec00aa5bad8865a24e9eadc74b
    • Opcode Fuzzy Hash: f9fcf72055b489bbb4723a9478c6fa3bd5d62e693268b4ee03dc28722a4d9db2
    • Instruction Fuzzy Hash: 5401283220004EFBCF255F5DDD48D9E7F76FF84B02B004221F80289461C772CAA5EA62
    Function 0085FC11 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 0085FC58
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: c99dd1c3d715932d79406702fc1fa82c6af58df2e074f6ee7fdfa1503a92971f
    • Instruction ID: 6c3ccc8f1ab9bfc33cefee7b3e51b1a722c55fad441d194f827a070a86e10337
    • Opcode Fuzzy Hash: c99dd1c3d715932d79406702fc1fa82c6af58df2e074f6ee7fdfa1503a92971f
    • Instruction Fuzzy Hash: F9F0D47660524EEFCF01CF94D94898C7B72FF45306B108125FA1596111D3769AA5EF40
    Function 0080436A Relevance: .2, Instructions: 158COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8f36304162d3df1be70946b8c0ca48e1a754878f73cd67c5893bcc697ed8af71
    • Instruction ID: ecd2930af7de5aef246384f7df60a405ccec4d46408f380fdc257fd6d12ae810
    • Opcode Fuzzy Hash: 8f36304162d3df1be70946b8c0ca48e1a754878f73cd67c5893bcc697ed8af71
    • Instruction Fuzzy Hash: 8C41AFF690C200AFE715AF14E841AAABBF5FB95320F16492DEBD483280E3355854CB97
    Function 00804092 Relevance: .1, Instructions: 133COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: feddb6649ca2ad63f2c7b050b7f5d48396a1102383dddaa5907cae22a0fa0cd7
    • Instruction ID: 5fbc55617e35d2fdbe67fc3d5de69cc7cf066cb1adcbd7ab2cbb0fc6db0275a3
    • Opcode Fuzzy Hash: feddb6649ca2ad63f2c7b050b7f5d48396a1102383dddaa5907cae22a0fa0cd7
    • Instruction Fuzzy Hash: 894180B240D7409FE706AF28DCD17AABFE1EF59320F060A6DEAC187641E6355844CB87
    Function 0081A607 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0d176079fb6229fc5aecd5cfd3b76125c8ffc63857ce81e76e43006c3e972d60
    • Instruction ID: 42e9ed8a2d7d9fb506c6be412718b0d477ee54435715e1288dfaea7cd327081d
    • Opcode Fuzzy Hash: 0d176079fb6229fc5aecd5cfd3b76125c8ffc63857ce81e76e43006c3e972d60
    • Instruction Fuzzy Hash: 83E04636008101AECB009F94C84599FFBF8FF19320F65888AF884CB622C3368C51CB2A
    Function 0085E289 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0085AC06: GetCurrentThreadId.KERNEL32 ref: 0085AC15
      • Part of subcall function 0085F307: IsBadWritePtr.KERNEL32(?,00000004), ref: 0085F315
    • wsprintfA.USER32 ref: 0085E2CF
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 0085E393
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 5b47ad28a9e5bc305231aea3f2d86bd0d62765bab2819ee8a9917c14c18a1e36
    • Instruction ID: df1e5c566e0f9ce68ba157ffd1b3898f270fe0e62793308b608570410a85fca2
    • Opcode Fuzzy Hash: 5b47ad28a9e5bc305231aea3f2d86bd0d62765bab2819ee8a9917c14c18a1e36
    • Instruction Fuzzy Hash: 2F31277190010AFBCF119F94DC49EEEBFBAFF84301F108125F911A62A1D7719A65DB61
    Function 0085EE5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00FE1BC4,00004020,00000000,-11C55FEC), ref: 0085EF47
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1940922354.0000000000854000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.1932881281.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933004548.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933128233.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933254444.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1933377236.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935114663.00000000007E8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938373305.00000000007EA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938421022.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938449351.0000000000802000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.0000000000804000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938542573.000000000080C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1938757404.0000000000822000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939005713.0000000000829000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1939297887.0000000000834000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940299608.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940325231.000000000083D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940352544.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940670611.0000000000841000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940948219.0000000000860000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940968672.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1940991920.0000000000863000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941009881.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941031877.0000000000875000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941057459.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941084585.0000000000882000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941105284.0000000000886000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941125326.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941149532.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941169024.0000000000890000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941195220.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941214221.000000000089A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941235267.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941258286.00000000008AA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941281952.00000000008AB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941309822.00000000008AC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941332128.00000000008B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941351756.00000000008BB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941371087.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941399749.00000000008E1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941417735.00000000008E2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.000000000091C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941473736.0000000000922000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941594193.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1941625167.0000000000934000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: d675cfce96389dab7eef7e8f2e8b9260fd100aec95f93369f021c20ae5908b18
    • Instruction ID: 38d1ac1bb8cc9f7f75c6aa6e924ef728d8b80e9b72971f1bfcb3dc9fe1f40bfc
    • Opcode Fuzzy Hash: d675cfce96389dab7eef7e8f2e8b9260fd100aec95f93369f021c20ae5908b18
    • Instruction Fuzzy Hash: E1319E71504309EFDB288F44CC8879EBBB0FF08301F409559E859A7690C7B5AA68DB90