Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1572086
MD5:10bb282a6a510155af521185a136c32d
SHA1:b0cddbafc0067a12a2e956719e31379dba526175
SHA256:fb4563df189c1a024633917a3ddb4ba58495fe4929cd1a71a955abfdadc5ce3c
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 10BB282A6A510155AF521185A136C32D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 55%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2116453441.0000000005160000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D3A3 NtQuerySystemInformation,0_2_00E5D3A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D3A3 NtQuerySystemInformation,0_2_00E5D3A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E200090_2_00E20009
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E242CF0_2_00E242CF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2429C0_2_00E2429C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD3940_2_00EDD394
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C8880_2_00E6C888
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F32BAD0_2_00F32BAD
Source: file.exe, 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054815D0 ChangeServiceConfigA,0_2_054815D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 55%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2800128 > 1048576
Source: file.exeStatic PE information: Raw size of pzmyaaxr is bigger than: 0x100000 < 0x2a5a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2116453441.0000000005160000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ca0000.0.unpack :EW;.rsrc:W;.idata :W;pzmyaaxr:EW;wkcwmztw:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b049b should be: 0x2afad6
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: pzmyaaxr
Source: file.exeStatic PE information: section name: wkcwmztw
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D0A9 push ebp; ret 0_2_00E5D0E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24000 push esi; mov dword ptr [esp], eax0_2_00E2402A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24000 push esi; mov dword ptr [esp], edx0_2_00E240F1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 push ecx; mov dword ptr [esp], edx0_2_00E2416E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 push ebp; mov dword ptr [esp], eax0_2_00E24188
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 push ecx; mov dword ptr [esp], 76AFC590h0_2_00E241AE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 push esi; mov dword ptr [esp], ecx0_2_00E241DF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E313F3 push ecx; mov dword ptr [esp], 148E37ADh0_2_00E313FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E313F3 push 1D505FEDh; mov dword ptr [esp], eax0_2_00E34C46
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE736 push esi; mov dword ptr [esp], ebx0_2_00CAE73D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE81B push 1F91D42Ch; mov dword ptr [esp], edx0_2_00CAF717
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE81B push esi; mov dword ptr [esp], 77FED5DDh0_2_00CAF737
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAF0CF push 15CB0BFFh; mov dword ptr [esp], ecx0_2_00CAF441
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E690ED push ecx; ret 0_2_00E690FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6D0C7 push ebp; ret 0_2_00E6D0D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E690C3 push eax; ret 0_2_00E690D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C0CD push ebx; ret 0_2_00E6C0DC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A0CA push ebx; ret 0_2_00E6A0D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5D0D1 push ebp; ret 0_2_00E5D0E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E680D2 push ecx; ret 0_2_00E680E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E330DB push 6EFE7685h; mov dword ptr [esp], eax0_2_00E34D5C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B0D8 push edi; ret 0_2_00E6B0E7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C0A5 push edi; ret 0_2_00E6C0B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F020B9 push esi; mov dword ptr [esp], eax0_2_00F02390
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E340A8 push 517F614Eh; mov dword ptr [esp], edi0_2_00E347ED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E280AD push 23B67A8Ah; mov dword ptr [esp], ebx0_2_00E28462
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E330B3 push 2F76E8F7h; mov dword ptr [esp], eax0_2_00E330CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAC09C push ebp; mov dword ptr [esp], 775DC234h0_2_00CAC72E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAC09C push ebx; mov dword ptr [esp], edx0_2_00CAC747
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B0B1 push edx; ret 0_2_00E6B0C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E300B9 push 3F84DE15h; mov dword ptr [esp], esp0_2_00E300BE
Source: file.exeStatic PE information: section name: entropy: 7.7986677866136604

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADD54 second address: CADD5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADD5A second address: CADD5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADD5F second address: CADD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F9A08CDCCECh 0x0000000f je 00007F9A08CDCCE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1654D second address: E1655C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9A093DC0BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E242A3 second address: E242BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F9A08CDCCE6h 0x0000000c popad 0x0000000d js 00007F9A08CDCCEAh 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E242BA second address: E242C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9A093DC0B6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2474B second address: E2474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2474F second address: E24755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24755 second address: E2475F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F9A08CDCCE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E274A0 second address: E27556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 add dword ptr [esp], 6A56D25Ah 0x0000000e push 00000003h 0x00000010 mov edx, dword ptr [ebp+122D2DC0h] 0x00000016 push 00000000h 0x00000018 call 00007F9A093DC0C7h 0x0000001d and edi, 62F1FE85h 0x00000023 pop ecx 0x00000024 mov ecx, dword ptr [ebp+122D2DA8h] 0x0000002a push 00000003h 0x0000002c js 00007F9A093DC0CDh 0x00000032 jmp 00007F9A093DC0C7h 0x00000037 push 9E73A316h 0x0000003c push esi 0x0000003d jp 00007F9A093DC0B8h 0x00000043 pop esi 0x00000044 xor dword ptr [esp], 5E73A316h 0x0000004b add edi, dword ptr [ebp+122D2EFCh] 0x00000051 jmp 00007F9A093DC0C7h 0x00000056 lea ebx, dword ptr [ebp+1244D37Eh] 0x0000005c mov esi, dword ptr [ebp+122D1D19h] 0x00000062 movzx edx, si 0x00000065 xchg eax, ebx 0x00000066 pushad 0x00000067 push ebx 0x00000068 pushad 0x00000069 popad 0x0000006a pop ebx 0x0000006b push eax 0x0000006c jne 00007F9A093DC0B6h 0x00000072 pop eax 0x00000073 popad 0x00000074 push eax 0x00000075 pushad 0x00000076 jc 00007F9A093DC0BCh 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E275DA second address: E275F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jp 00007F9A08CDCCECh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E275F1 second address: E2768E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0C5h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D1D93h], edx 0x00000012 pushad 0x00000013 mov dx, 68C6h 0x00000017 mov esi, dword ptr [ebp+122D2C74h] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F9A093DC0B8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a sub dword ptr [ebp+122D21FBh], edi 0x00000040 call 00007F9A093DC0B9h 0x00000045 push edx 0x00000046 jng 00007F9A093DC0B8h 0x0000004c pop edx 0x0000004d push eax 0x0000004e push edi 0x0000004f push esi 0x00000050 jmp 00007F9A093DC0C4h 0x00000055 pop esi 0x00000056 pop edi 0x00000057 mov eax, dword ptr [esp+04h] 0x0000005b jmp 00007F9A093DC0C1h 0x00000060 mov eax, dword ptr [eax] 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 pop edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2768E second address: E27698 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9A08CDCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27698 second address: E276A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E276A8 second address: E27702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F9A08CDCCF6h 0x0000000b jmp 00007F9A08CDCCF8h 0x00000010 popad 0x00000011 popad 0x00000012 pop eax 0x00000013 and ecx, dword ptr [ebp+122D2F50h] 0x00000019 push 00000003h 0x0000001b mov si, cx 0x0000001e push 00000000h 0x00000020 sub cx, CCB9h 0x00000025 push 00000003h 0x00000027 push edi 0x00000028 movzx edx, ax 0x0000002b pop edi 0x0000002c push B07F72CDh 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27702 second address: E27707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27707 second address: E2770C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27769 second address: E27779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27779 second address: E277F6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9A08CDCCECh 0x00000008 jg 00007F9A08CDCCE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F9A08CDCCF7h 0x00000016 nop 0x00000017 pushad 0x00000018 pushad 0x00000019 sub dword ptr [ebp+122D1D93h], ebx 0x0000001f or dword ptr [ebp+122D236Eh], ebx 0x00000025 popad 0x00000026 clc 0x00000027 popad 0x00000028 push 00000000h 0x0000002a xor edi, dword ptr [ebp+122D2DFCh] 0x00000030 call 00007F9A08CDCCE9h 0x00000035 jmp 00007F9A08CDCCF3h 0x0000003a push eax 0x0000003b push ebx 0x0000003c pushad 0x0000003d jmp 00007F9A08CDCCEFh 0x00000042 pushad 0x00000043 popad 0x00000044 popad 0x00000045 pop ebx 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E277F6 second address: E278A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F9A093DC0BFh 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007F9A093DC0C3h 0x0000001b pop eax 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F9A093DC0B8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 jmp 00007F9A093DC0C2h 0x0000003b jmp 00007F9A093DC0BDh 0x00000040 push 00000003h 0x00000042 sub edi, dword ptr [ebp+122D2E6Ch] 0x00000048 xor edx, 78DFC8D7h 0x0000004e push 00000000h 0x00000050 push 00000003h 0x00000052 call 00007F9A093DC0B9h 0x00000057 jmp 00007F9A093DC0C6h 0x0000005c push eax 0x0000005d jo 00007F9A093DC0C4h 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278A9 second address: E278CF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9A08CDCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F9A08CDCCE6h 0x00000018 popad 0x00000019 pop edi 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jnp 00007F9A08CDCCECh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278CF second address: E278D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278D3 second address: E278D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278D9 second address: E278DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278DD second address: E278E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278E1 second address: E278F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278F3 second address: E278F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E278F8 second address: E2793F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9A093DC0B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov ecx, dword ptr [ebp+122D2C70h] 0x00000014 lea ebx, dword ptr [ebp+1244D392h] 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F9A093DC0B8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 or edi, dword ptr [ebp+122D2CC0h] 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push ebx 0x00000040 pop ebx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2793F second address: E27943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27943 second address: E27949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27949 second address: E27977 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9A08CDCCF9h 0x00000008 jmp 00007F9A08CDCCF3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F9A08CDCCEAh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27977 second address: E2797C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E38658 second address: E3865C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1136A second address: E11382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46A31 second address: E46A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46A37 second address: E46A3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46A3D second address: E46A6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F9A08CDCCEEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46A6A second address: E46A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F9A093DC0B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46A76 second address: E46A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46BB8 second address: E46BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E46E6D second address: E46EC1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9A08CDCCFBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c ja 00007F9A08CDCCE6h 0x00000012 jmp 00007F9A08CDCCF3h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F9A08CDCCF0h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47037 second address: E4704F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F9A093DC0B6h 0x0000000d jmp 00007F9A093DC0BBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47358 second address: E4735E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4761B second address: E4766E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9A093DC0B6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F9A093DC0C2h 0x00000011 jmp 00007F9A093DC0C3h 0x00000016 jmp 00007F9A093DC0BDh 0x0000001b popad 0x0000001c push esi 0x0000001d jno 00007F9A093DC0B6h 0x00000023 jne 00007F9A093DC0B6h 0x00000029 pop esi 0x0000002a popad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e push edi 0x0000002f pop edi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4766E second address: E47678 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9A08CDCCE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47678 second address: E476A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9A093DC0C5h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jp 00007F9A093DC0B6h 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47A4A second address: E47A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push ecx 0x0000000b push ecx 0x0000000c jnc 00007F9A08CDCCE6h 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47A66 second address: E47A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9A093DC0B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47A72 second address: E47A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47BFA second address: E47C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9A093DC0BAh 0x00000008 jl 00007F9A093DC0B6h 0x0000000e jmp 00007F9A093DC0BEh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F9A093DC0C3h 0x0000001c js 00007F9A093DC0B8h 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9A093DC0C0h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47C50 second address: E47C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AD0E second address: E3AD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9A093DC0B6h 0x0000000a jng 00007F9A093DC0B6h 0x00000010 popad 0x00000011 push esi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AD23 second address: E3AD29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AD29 second address: E3AD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E489EB second address: E489EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18038 second address: E18042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9A093DC0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F207 second address: E4F21D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9A08CDCCEEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F94F second address: E4F963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F963 second address: E4F979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9A08CDCCF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F979 second address: E4F98F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F98F second address: E4F993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F993 second address: E4F999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E524D0 second address: E524DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F9A08CDCCE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E524DC second address: E524F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9A093DC0C2h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52669 second address: E52678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F9A08CDCCE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52849 second address: E5284F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5284F second address: E5285E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jne 00007F9A08CDCCE8h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52D67 second address: E52D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9A093DC0BEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52D7A second address: E52D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52D80 second address: E52D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52D86 second address: E52D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554A3 second address: E554A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554A7 second address: E554B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554B3 second address: E554B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554B9 second address: E554BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554BE second address: E554C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E554C3 second address: E554C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55978 second address: E5597C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5597C second address: E559BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F9A08CDCCE8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D35B7h] 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F9A08CDCCEEh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E559BB second address: E559C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55AC2 second address: E55AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55DD9 second address: E55DDF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55F81 second address: E55F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55F85 second address: E55F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56492 second address: E56498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56FF9 second address: E56FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E580F4 second address: E580FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E580FA second address: E5816D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sbb di, 2663h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F9A093DC0B8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 and di, 14EDh 0x0000002d mov edi, dword ptr [ebp+122D2D6Ch] 0x00000033 jbe 00007F9A093DC0BCh 0x00000039 mov esi, dword ptr [ebp+122D2EBCh] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007F9A093DC0B8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000015h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b mov dword ptr [ebp+122D1FC9h], esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pushad 0x00000066 popad 0x00000067 pop esi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5816D second address: E58173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58173 second address: E58177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5A431 second address: E5A437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5AE82 second address: E5AEDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F9A093DC0B8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 jl 00007F9A093DC0BCh 0x0000002c xor esi, dword ptr [ebp+122D2E1Ch] 0x00000032 push 00000000h 0x00000034 jnp 00007F9A093DC0B6h 0x0000003a push 00000000h 0x0000003c mov di, si 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push edx 0x00000044 pop edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B91D second address: E5B921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B921 second address: E5B935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61EB7 second address: E61EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F9A08CDCCE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61EC1 second address: E61EF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F9A093DC0BCh 0x00000011 jmp 00007F9A093DC0C8h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62FD7 second address: E63057 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9A08CDCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F9A08CDCCEDh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 mov ebx, dword ptr [ebp+122D1FB0h] 0x0000001f push dword ptr fs:[00000000h] 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F9A08CDCCE8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 mov edi, ebx 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 sub dword ptr [ebp+122D21EEh], ebx 0x0000004f mov eax, dword ptr [ebp+122D0019h] 0x00000055 mov dword ptr [ebp+12446824h], edi 0x0000005b push FFFFFFFFh 0x0000005d mov dword ptr [ebp+12470CB0h], ebx 0x00000063 nop 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jg 00007F9A08CDCCE6h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63057 second address: E63072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F9A093DC0B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63EF4 second address: E63EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63072 second address: E63084 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F9A093DC0B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E64C08 second address: E64C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63EF9 second address: E63EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63084 second address: E63088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63088 second address: E6308E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66C72 second address: E66C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9A08CDCCE6h 0x0000000a pop ecx 0x0000000b jng 00007F9A08CDCD02h 0x00000011 jmp 00007F9A08CDCCF2h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E67242 second address: E672BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F9A093DC0C3h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F9A093DC0B8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 add dword ptr [ebp+122D1FDAh], ecx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F9A093DC0B8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D2D54h] 0x00000050 sub dword ptr [ebp+122D2FF4h], eax 0x00000056 push 00000000h 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jnp 00007F9A093DC0B6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E672BD second address: E672C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E672C1 second address: E672C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E682CC second address: E682D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E682D2 second address: E682D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E682D6 second address: E682ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E682ED second address: E682F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6928D second address: E69291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A30A second address: E6A30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A30F second address: E6A315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6C296 second address: E6C319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F9A093DC0B8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F9A093DC0B8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 push 00000000h 0x00000043 mov di, bx 0x00000046 movzx edi, dx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007F9A093DC0C9h 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6C319 second address: E6C31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D34B second address: E6D34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D34F second address: E6D3E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F9A08CDCCEDh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F9A08CDCCE8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jmp 00007F9A08CDCCEBh 0x0000002f mov edi, dword ptr [ebp+122D2F94h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F9A08CDCCE8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 movsx ebx, bx 0x00000054 xchg eax, esi 0x00000055 jmp 00007F9A08CDCCF1h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F9A08CDCCF4h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D3E7 second address: E6D3F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D3F7 second address: E6D3FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A53B second address: E6A540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6C4C9 second address: E6C4DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9A08CDCCEFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6C4DC second address: E6C4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6E4E1 second address: E6E505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jg 00007F9A08CDCCE6h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F9A08CDCCEFh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D561 second address: E6D56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D56E second address: E6D572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D572 second address: E6D57C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D57C second address: E6D581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6E74F second address: E6E753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E704BA second address: E704BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E704BE second address: E70532 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add edi, 53532541h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F9A093DC0B8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d or edi, dword ptr [ebp+122D2D20h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F9A093DC0B8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D3BF0h] 0x00000055 jmp 00007F9A093DC0BEh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d js 00007F9A093DC0B8h 0x00000063 push ecx 0x00000064 pop ecx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F711 second address: E6F715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F715 second address: E6F740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9A093DC0C0h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnl 00007F9A093DC0B6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 je 00007F9A093DC0BCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E706C7 second address: E706CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E706CD second address: E7075D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9A093DC0BAh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F9A093DC0B8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, dx 0x00000032 mov di, A860h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov eax, dword ptr [ebp+122D038Dh] 0x00000043 adc bx, 68BBh 0x00000048 xor dword ptr [ebp+122D3342h], edx 0x0000004e push FFFFFFFFh 0x00000050 push edi 0x00000051 movsx edi, bx 0x00000054 pop ebx 0x00000055 nop 0x00000056 pushad 0x00000057 jmp 00007F9A093DC0C9h 0x0000005c jnl 00007F9A093DC0BCh 0x00000062 popad 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7075D second address: E70761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70761 second address: E70765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70765 second address: E7076B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7076B second address: E70775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9A093DC0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EF58 second address: E7EF62 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9A08CDCCE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EF62 second address: E7EF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F9A093DC0B8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7EF70 second address: E7EF76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86B2B second address: E86B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86B32 second address: E86B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88F78 second address: E88F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E88F7C second address: E88FB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9A08CDCCF7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c js 00007F9A08CDCD1Ah 0x00000012 pushad 0x00000013 jmp 00007F9A08CDCCEEh 0x00000018 pushad 0x00000019 popad 0x0000001a jbe 00007F9A08CDCCE6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E901D8 second address: E901DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E901DE second address: E901E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8EE58 second address: E8EE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9A093DC0C0h 0x00000009 jno 00007F9A093DC0B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8EE72 second address: E8EE78 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F487 second address: E8F494 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F494 second address: E8F49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F49A second address: E8F49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F49F second address: E8F4A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9A08CDCCE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F4A9 second address: E8F4AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FD84 second address: E8FD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FD88 second address: E8FD92 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FD92 second address: E8FDA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9A08CDCCEFh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FDA9 second address: E8FDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9A093DC0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FF1C second address: E8FF39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8FF39 second address: E8FF43 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9A093DC0C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E90086 second address: E9008C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9008C second address: E90092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E993D2 second address: E993D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98F7D second address: E98F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E99F30 second address: E99F5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c js 00007F9A08CDCCFEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F9A08CDCCEAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E99F5D second address: E99F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2113 second address: EA2118 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA2118 second address: EA211E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA107B second address: EA108F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9A08CDCCF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5C9EC second address: E5C9F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5C9F7 second address: E5C9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5C9FC second address: E3AD0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D2169h], edx 0x00000010 call dword ptr [ebp+122D318Bh] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5CB3B second address: E5CB45 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9A08CDCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5CB45 second address: E5CE41 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9A093DC0CCh 0x00000008 jmp 00007F9A093DC0C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebx 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F9A093DC0B8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a and edi, dword ptr [ebp+122D2DFCh] 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov cl, 69h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 call 00007F9A093DC0BCh 0x00000045 jmp 00007F9A093DC0C5h 0x0000004a pop ecx 0x0000004b mov dword ptr [ebp+124827CBh], esp 0x00000051 add edi, dword ptr [ebp+122D1D06h] 0x00000057 xor edi, 34809E0Eh 0x0000005d cmp dword ptr [ebp+122D2FC4h], 00000000h 0x00000064 jne 00007F9A093DC137h 0x0000006a cmp dword ptr [ebp+122D2D30h], 00000000h 0x00000071 jne 00007F9A093DC184h 0x00000077 cmp dword ptr [ebp+122D2E90h], 00000000h 0x0000007e jne 00007F9A093DC169h 0x00000084 mov byte ptr [ebp+122D2359h], 0000006Ch 0x0000008b jmp 00007F9A093DC0BFh 0x00000090 mov eax, DB057083h 0x00000095 mov edi, dword ptr [ebp+122D2C48h] 0x0000009b call 00007F9A093DC0BFh 0x000000a0 jmp 00007F9A093DC0C4h 0x000000a5 pop ecx 0x000000a6 push eax 0x000000a7 pushad 0x000000a8 pushad 0x000000a9 push eax 0x000000aa push edx 0x000000ab rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5CF5A second address: E5CF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D00E second address: E5D091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F9A093DC0C5h 0x0000000f mov eax, dword ptr [eax] 0x00000011 je 00007F9A093DC0BAh 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 jmp 00007F9A093DC0C0h 0x00000025 pop eax 0x00000026 pop eax 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F9A093DC0B8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov dword ptr [ebp+1245CCCFh], ecx 0x00000047 push 225F3803h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F9A093DC0C3h 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D091 second address: E5D096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D096 second address: E5D09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D09C second address: E5D0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D1A7 second address: E5D1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9A093DC0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D409 second address: E5D40E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DD1A second address: E5DD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DD21 second address: E5DD38 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9A08CDCCECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DD38 second address: E5DD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DD3C second address: E5DD53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B899 second address: E3B89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA12E7 second address: EA1317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9A08CDCCEFh 0x00000012 jo 00007F9A08CDCCE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA1317 second address: EA131B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA131B second address: EA133D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F9A08CDCCF2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA161D second address: EA163D instructions: 0x00000000 rdtsc 0x00000002 js 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9A093DC0C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CF80 second address: E1CF94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9A08CDCCE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F9A08CDCCE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CF94 second address: E1CF9E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9A093DC0B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CF9E second address: E1CFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jc 00007F9A08CDCCE6h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CFB0 second address: E1CFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CFB4 second address: E1CFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6D5E second address: EA6D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6E97 second address: EA6EBC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9A08CDCCE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F9A08CDCCF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6EBC second address: EA6EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6EC1 second address: EA6EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA738E second address: EA739A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA77CD second address: EA77D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9A08CDCCE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA77D9 second address: EA77F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F9A093DC0BDh 0x00000008 jne 00007F9A093DC0B6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F9A093DC0B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7D5D second address: EA7D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F9A08CDCCF2h 0x0000000b jnp 00007F9A08CDCCE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7D70 second address: EA7D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7D77 second address: EA7D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7D84 second address: EA7D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6708 second address: EA670C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA670C second address: EA6710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EADAEE second address: EADAFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jne 00007F9A08CDCCE6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD690 second address: EAD698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD698 second address: EAD69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAD69E second address: EAD6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB1D2B second address: EB1D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F9A08CDCCE6h 0x0000000a ja 00007F9A08CDCCE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB200C second address: EB2010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2010 second address: EB2020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F9A08CDCCE6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2185 second address: EB2189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5A18 second address: EB5A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5A1E second address: EB5A23 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBBAE5 second address: EBBAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9A08CDCCE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBBAF1 second address: EBBB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9A093DC0C3h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F9A093DC0B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBBB14 second address: EBBB1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBBB1A second address: EBBB22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBBB22 second address: EBBB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA247 second address: EBA24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA4FE second address: EBA502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA502 second address: EBA51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b jp 00007F9A093DC0B6h 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007F9A093DC0B6h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA51F second address: EBA525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA9A6 second address: EBA9AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBA9AA second address: EBA9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9A08CDCCEAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D79F second address: E5D853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jp 00007F9A093DC0B8h 0x00000012 jl 00007F9A093DC0B8h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c jmp 00007F9A093DC0C7h 0x00000021 mov ebx, dword ptr [ebp+124827B2h] 0x00000027 push edx 0x00000028 mov ecx, dword ptr [ebp+122D314Ah] 0x0000002e pop ecx 0x0000002f add eax, ebx 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F9A093DC0B8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov edx, dword ptr [ebp+12446C5Bh] 0x00000051 pushad 0x00000052 mov di, cx 0x00000055 jno 00007F9A093DC0BCh 0x0000005b popad 0x0000005c push eax 0x0000005d jmp 00007F9A093DC0BEh 0x00000062 mov dword ptr [esp], eax 0x00000065 and ecx, 1DD88F88h 0x0000006b push 00000004h 0x0000006d mov edi, dword ptr [ebp+124778C1h] 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jo 00007F9A093DC0B6h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D853 second address: E5D862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAB46 second address: EBAB4C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAB4C second address: EBAB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9A08CDCCECh 0x0000000b jmp 00007F9A08CDCCEDh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F9A08CDCCF2h 0x00000019 jmp 00007F9A08CDCCEBh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBACCB second address: EBACE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3138 second address: EC313E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC313E second address: EC314A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC314A second address: EC3167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3167 second address: EC317C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC317C second address: EC31BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9A08CDCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F9A08CDCCECh 0x00000010 jmp 00007F9A08CDCCF9h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f jno 00007F9A08CDCCE6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC31BC second address: EC31C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC333E second address: EC336A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A08CDCCF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F9A08CDCCEEh 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC34D8 second address: EC34E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC34E1 second address: EC34EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC34EB second address: EC34F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3A33 second address: EC3A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A08CDCCF2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3DCB second address: EC3DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3DCF second address: EC3DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F9A08CDCCECh 0x0000000c jne 00007F9A08CDCCE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3DE1 second address: EC3DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4640 second address: EC4648 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4648 second address: EC464E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4CB0 second address: EC4CBA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4CBA second address: EC4CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4CBE second address: EC4CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC500A second address: EC500E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC92D5 second address: EC92D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC92D9 second address: EC92EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC92EB second address: EC92EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC92EF second address: EC92F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC849F second address: EC84A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC84A5 second address: EC84C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0BFh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC84C1 second address: EC84D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9A08CDCCEAh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC84D2 second address: EC84D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC84D8 second address: EC84DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC894E second address: EC895D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F9A093DC0B6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC8C02 second address: EC8C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC8C06 second address: EC8C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED5C0E second address: ED5C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED5C14 second address: ED5C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED5C1A second address: ED5C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED61DC second address: ED61E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9A093DC0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED635E second address: ED6364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6364 second address: ED6368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6504 second address: ED6511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6511 second address: ED6515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED669E second address: ED66B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9A08CDCCEAh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED66B3 second address: ED66D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9A093DC0C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED66D3 second address: ED66D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED6816 second address: ED681A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED681A second address: ED683D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F9A08CDCCE6h 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push ecx 0x00000015 jmp 00007F9A08CDCCECh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED70F1 second address: ED7103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED7103 second address: ED710F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9A08CDCCE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9FBE second address: ED9FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE00F2 second address: EE00F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE27AE second address: EE27B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE27B2 second address: EE27D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F9A08CDCCE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9A08CDCCEEh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE27D0 second address: EE27D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EECBD9 second address: EECBEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9A08CDCCF1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC8FB second address: EEC904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC904 second address: EEC90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC90A second address: EEC90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF278B second address: EF27A2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9A08CDCCE6h 0x00000008 jc 00007F9A08CDCCE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF27A2 second address: EF27B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9A093DC0BBh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF27B9 second address: EF27BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF27BD second address: EF27CD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9A093DC0B6h 0x00000008 jbe 00007F9A093DC0B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF81F9 second address: EF8211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F9A08CDCCE6h 0x00000009 jc 00007F9A08CDCCE6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF6E3F second address: EF6E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDF02 second address: EFDF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A08CDCCF7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDF1D second address: EFDF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDF21 second address: EFDF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDF27 second address: EFDF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jl 00007F9A093DC0B6h 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007F9A093DC0C8h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a jc 00007F9A093DC0D0h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDF60 second address: EFDF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00308 second address: F0032D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F9A093DC0B6h 0x00000009 jmp 00007F9A093DC0C6h 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0032D second address: F00333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00333 second address: F00339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0539E second address: F053A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F053A2 second address: F053B3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9A093DC0B6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F053B3 second address: F053C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9A08CDCCE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C4FA second address: F0C500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C7D3 second address: F0C7D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C7D7 second address: F0C7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C7E1 second address: F0C7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C9F5 second address: F0C9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C9F9 second address: F0C9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0CC54 second address: F0CC60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F9A093DC0B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0CC60 second address: F0CC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F9A08CDCCE6h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F9A08CDCCE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D773 second address: F0D779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F115BB second address: F115D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F9A08CDCCEEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F9A08CDCCECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F155F4 second address: F1560F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9A093DC0C5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1546D second address: F15471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F15471 second address: F15475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F15475 second address: F15497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F9A08CDCCEDh 0x0000000c jc 00007F9A08CDCCE6h 0x00000012 pop ecx 0x00000013 popad 0x00000014 push ecx 0x00000015 push ebx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0A3 second address: F1D0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 jno 00007F9A093DC0B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0B3 second address: F1D0B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D0B9 second address: F1D0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E749 second address: F1E754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F9A08CDCCE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B50C second address: F2B516 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9A093DC0B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B516 second address: F2B52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 je 00007F9A08CDCCE6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B52B second address: F2B531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B531 second address: F2B54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A08CDCCEEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B54A second address: F2B54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FA54 second address: F2FAA0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F9A08CDCCECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9A08CDCCF2h 0x00000010 ja 00007F9A08CDCCECh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push ebx 0x00000020 jmp 00007F9A08CDCCF1h 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F781 second address: F2F787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36C80 second address: F36C90 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9A08CDCCE6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36C90 second address: F36C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36C96 second address: F36C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36C9A second address: F36CB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9A093DC0BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F9A093DC0BEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F374C5 second address: F374CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F374CB second address: F374CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A84A second address: F3A861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9A08CDCCEAh 0x00000009 push eax 0x0000000a jp 00007F9A08CDCCE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3ED9F second address: F3EDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F416BD second address: F416C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F416C6 second address: F416DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007F9A093DC0B6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42FBD second address: F42FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F9A08CDCCE6h 0x00000011 jmp 00007F9A08CDCCEBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42FD9 second address: F42FE3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9A093DC0B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42FE3 second address: F42FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42FF2 second address: F42FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4690F second address: F4691A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4691A second address: F46921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3BE55 second address: F3BE75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9A08CDCCEAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9A08CDCCEEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB47 second address: F3AB59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jl 00007F9A093DC0B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AB59 second address: F3AB5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57AF9 second address: E57B03 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9A093DC0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57B03 second address: E57B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CADD2E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CADDE6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E5CBC2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EE6AF4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CB4F4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5440000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 74B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 rdtsc 0_2_00E24133
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82E15 GetSystemInfo,VirtualAlloc,0_2_00E82E15
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24133 rdtsc 0_2_00E24133
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAB7CE LdrInitializeThunk,0_2_00CAB7CE
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (xMProgram Manager
Source: file.exe, 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: o(xMProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe56%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1572086
Start date and time:2024-12-10 04:31:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 13.107.246.63
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.51026276468541
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'800'128 bytes
MD5:10bb282a6a510155af521185a136c32d
SHA1:b0cddbafc0067a12a2e956719e31379dba526175
SHA256:fb4563df189c1a024633917a3ddb4ba58495fe4929cd1a71a955abfdadc5ce3c
SHA512:e35b9ae296a83db15165687c9a3c1e3bae30ec56d94787e11dd5e8bc3d2a15fe6bdc0cee4b65a56d77efc2db7b7383e1579dbf6088c141d89433ece5aaad8cbc
SSDEEP:49152:Gfh083818wsoM6kIud4kdOS/eEoyGlyT2E6Tw:4h08a81R6kIudXdOS/Eu2E6w
TLSH:4FD53B52B90AB5CFD49F17B844B7CD82BA2D47F9471248E3A87C74B96EA3CC112B5C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.......+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6b2000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F9A08CA524Ah
sets byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x500.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12005191caee3e3745a9022886b433c4814aFalse0.9331597222222222data7.7986677866136604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x5000x6003f0822cb5bc594d18b0318d6ab15c5aeFalse0.3951822916666667data4.442048717005577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pzmyaaxr0xa0000x2a60000x2a5a002662542ec0ff386f110776a9761093f6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wkcwmztw0x2b00000x20000x400886e1e357198b4cb6b058d149682501fFalse0.7470703125data5.837315176620768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b20000x40000x2200b803d912f88750881d711cfeeb966be0False0.05997242647058824DOS executable (COM)0.8247394196544592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60a00x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x152ASCII text, with CRLF line terminators0.6479289940828402

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:22:31:55
Start date:09/12/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xca0000
File size:2'800'128 bytes
MD5 hash:10BB282A6A510155AF521185A136C32D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.7%
    Dynamic/Decrypted Code Coverage:10.2%
    Signature Coverage:16.1%
    Total number of Nodes:118
    Total number of Limit Nodes:13
    execution_graph 11246 5480d48 11247 5480d93 OpenSCManagerW 11246->11247 11249 5480ddc 11247->11249 11250 5481308 11251 5481349 ImpersonateLoggedOnUser 11250->11251 11252 5481376 11251->11252 11256 cab7ce 11257 cab7d3 11256->11257 11258 cab93e LdrInitializeThunk 11257->11258 11259 e5d3a3 NtQuerySystemInformation 11260 e5d3cb 11259->11260 11261 e83daf 11263 e83dbb 11261->11263 11264 e83dcd 11263->11264 11267 e839d6 11264->11267 11268 e83a6a 11267->11268 11270 e839e7 11267->11270 11270->11268 11271 e83841 VirtualProtect 11270->11271 11272 e83680 11270->11272 11271->11270 11276 e83687 11272->11276 11274 e836d1 11274->11270 11276->11274 11277 e8358e 11276->11277 11281 e83841 11276->11281 11280 e835a3 11277->11280 11278 e83663 11278->11276 11279 e8362d GetModuleFileNameA 11279->11280 11280->11278 11280->11279 11284 e83855 11281->11284 11282 e8386d 11282->11276 11283 e83990 VirtualProtect 11283->11284 11284->11282 11284->11283 11285 e6936c 11287 e69353 11285->11287 11287->11285 11288 e6938d 11287->11288 11289 e6938f CreateThread 11287->11289 11290 e693a3 11289->11290 11291 caa073 11289->11291 11292 e6832c 11293 e6832f CreateThread 11292->11293 11294 e6833c 11293->11294 11295 caa073 11293->11295 11296 e2796f CreateFileA 11297 e27994 11296->11297 11306 cae81b 11307 caece4 VirtualAlloc 11306->11307 11309 caf4ab 11307->11309 11312 54815d0 11314 548164e ChangeServiceConfigA 11312->11314 11315 54818da 11314->11315 11316 5481510 11317 5481558 ControlService 11316->11317 11318 548158f 11317->11318 11319 e6733c 11320 e673a1 11319->11320 11321 e67341 11319->11321 11326 e6734e 11321->11326 11323 e67346 CreateThread 11325 e67370 11323->11325 11331 caa073 11323->11331 11327 e67354 CreateThread 11326->11327 11329 e67370 11327->11329 11330 caa073 11327->11330 11332 e6c37d 11333 e6c306 11332->11333 11336 e6c2f1 11332->11336 11334 e6c34d CreateThread 11333->11334 11333->11336 11335 e6c36a 11334->11335 11337 caa073 11334->11337 11338 e83235 11339 e83251 SetEnvironmentVariableA 11338->11339 11341 e24000 LoadLibraryA 11342 e24009 11341->11342 11343 e82e0a 11345 e82e15 GetSystemInfo 11343->11345 11346 e82e73 VirtualAlloc 11345->11346 11347 e82e35 11345->11347 11360 e83161 11346->11360 11347->11346 11349 e82eba 11351 e83161 VirtualAlloc GetModuleFileNameA VirtualProtect 11349->11351 11358 e82f8f 11349->11358 11350 e82fab GetModuleFileNameA VirtualProtect 11359 e82f53 11350->11359 11352 e82ee4 11351->11352 11353 e83161 VirtualAlloc GetModuleFileNameA VirtualProtect 11352->11353 11352->11358 11354 e82f0e 11353->11354 11355 e83161 VirtualAlloc GetModuleFileNameA VirtualProtect 11354->11355 11354->11358 11356 e82f38 11355->11356 11357 e83161 VirtualAlloc GetModuleFileNameA VirtualProtect 11356->11357 11356->11358 11356->11359 11357->11358 11358->11350 11358->11359 11362 e83169 11360->11362 11363 e8317d 11362->11363 11364 e83195 11362->11364 11370 e8302d 11363->11370 11366 e8302d 2 API calls 11364->11366 11367 e831a6 11366->11367 11372 e831b8 11367->11372 11375 e83035 11370->11375 11373 e831c9 VirtualAlloc 11372->11373 11374 e831b4 11372->11374 11373->11374 11376 e83048 11375->11376 11377 e83680 2 API calls 11376->11377 11378 e8308b 11376->11378 11377->11378 11379 e6b545 CreateThread 11380 e6b55d 11379->11380 11381 caa073 11379->11381 11382 e5dd43 11383 e5dd87 11382->11383 11384 e5dd0f 11382->11384 11384->11383 11385 e5dcfb VirtualFree 11384->11385 11385->11384 11386 e83e19 11388 e83e25 11386->11388 11390 e83e37 11388->11390 11389 e83e5f 11390->11389 11391 e839d6 2 API calls 11390->11391 11391->11389 11392 e27594 11393 e2759f CreateFileA 11392->11393 11394 e275a7 11393->11394 11395 e27736 CreateFileA 11394->11395 11396 e27750 11394->11396 11395->11396 11397 cae736 11398 caf13a VirtualAlloc 11397->11398

    Executed Functions

    Function 00E24133 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 83 e24133-e24138 LoadLibraryA 84 e2413e-e24147 83->84 86 e24159-e2415b 84->86 87 e2414d-e24158 84->87 89 e24161 86->89 90 e2416c-e24294 86->90 87->86 89->90
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: /u
    • API String ID: 1029625771-1026609814
    • Opcode ID: 74a53fa6595eebbbcb760cae7ef2803fc303f03e119747e547365fadb5493a61
    • Instruction ID: 905f5e188523ea5ae1cbc3e3b35ddb98324c4a5f227d4fa1733f0b20afaf5109
    • Opcode Fuzzy Hash: 74a53fa6595eebbbcb760cae7ef2803fc303f03e119747e547365fadb5493a61
    • Instruction Fuzzy Hash: 193139B250D210AFE305AF69E9416BEFBE9EF94721F168C2DE5C4C3604D23098908B57
    Function 00E82E15 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 108 e82e15-e82e2f GetSystemInfo 109 e82e73-e82ebc VirtualAlloc call e83161 108->109 110 e82e35-e82e6d 108->110 114 e82fa2 call e82fab 109->114 115 e82ec2-e82ee6 call e83161 109->115 110->109 119 e82fa7 114->119 115->114 121 e82eec-e82f10 call e83161 115->121 122 e82fa9-e82faa 119->122 121->114 125 e82f16-e82f3a call e83161 121->125 125->114 128 e82f40-e82f4d 125->128 129 e82f73-e82f8a call e83161 128->129 130 e82f53-e82f6e 128->130 133 e82f8f-e82f91 129->133 134 e82f9d 130->134 133->114 135 e82f97 133->135 134->122 135->134
    APIs
    • GetSystemInfo.KERNELBASE(?,-11625FEC,?,?,?,?,?,?,?,?,00E8430F), ref: 00E82E21
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004,?,?,?,?,?,?,?,?,00E8430F), ref: 00E82E82
    Memory Dump Source
    • Source File: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 010f4364cb9f9c38c6ca6096cb2da7d8683403c73a965f2ee2f4d93de3a74264
    • Instruction ID: b2fc9d63a4a10eb7f309aa2be4275e91b3ead9c98c4588c636d6eff0bb2e60aa
    • Opcode Fuzzy Hash: 010f4364cb9f9c38c6ca6096cb2da7d8683403c73a965f2ee2f4d93de3a74264
    • Instruction Fuzzy Hash: 374114B5A40206AEF725DFA4CD05F97B7ACFB48B04F1444A6B30BED582E67095D0C7A4
    Function 054815D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 54815d0-548165a 234 548165c-5481666 232->234 235 5481693-54816b5 232->235 234->235 236 5481668-548166a 234->236 240 54816f1-5481712 235->240 241 54816b7-54816c4 235->241 238 548166c-5481676 236->238 239 548168d-5481690 236->239 242 5481678 238->242 243 548167a-5481689 238->243 239->235 251 548174b-548176d 240->251 252 5481714-548171e 240->252 241->240 245 54816c6-54816c8 241->245 242->243 243->243 244 548168b 243->244 244->239 246 54816ca-54816d4 245->246 247 54816eb-54816ee 245->247 249 54816d8-54816e7 246->249 250 54816d6 246->250 247->240 249->249 254 54816e9 249->254 250->249 260 54817a9-54817ca 251->260 261 548176f-548177c 251->261 252->251 253 5481720-5481722 252->253 255 5481724-548172e 253->255 256 5481745-5481748 253->256 254->247 258 5481730 255->258 259 5481732-5481741 255->259 256->251 258->259 259->259 262 5481743 259->262 267 54817cc-54817d6 260->267 268 5481803-5481825 260->268 261->260 263 548177e-5481780 261->263 262->256 265 5481782-548178c 263->265 266 54817a3-54817a6 263->266 269 548178e 265->269 270 5481790-548179f 265->270 266->260 267->268 271 54817d8-54817da 267->271 278 5481861-54818d8 ChangeServiceConfigA 268->278 279 5481827-5481834 268->279 269->270 270->270 272 54817a1 270->272 273 54817dc-54817e6 271->273 274 54817fd-5481800 271->274 272->266 276 54817e8 273->276 277 54817ea-54817f9 273->277 274->268 276->277 277->277 280 54817fb 277->280 287 54818da-54818e0 278->287 288 54818e1-5481920 278->288 279->278 281 5481836-5481838 279->281 280->274 283 548183a-5481844 281->283 284 548185b-548185e 281->284 285 5481848-5481857 283->285 286 5481846 283->286 284->278 285->285 289 5481859 285->289 286->285 287->288 292 5481930-5481934 288->292 293 5481922-5481926 288->293 289->284 294 5481944-5481948 292->294 295 5481936-548193a 292->295 293->292 296 5481928-548192b call 548013c 293->296 298 5481958-548195c 294->298 299 548194a-548194e 294->299 295->294 297 548193c-548193f call 548013c 295->297 296->292 297->294 303 548196c-5481970 298->303 304 548195e-5481962 298->304 299->298 302 5481950-5481953 call 548013c 299->302 302->298 307 5481980-5481984 303->307 308 5481972-5481976 303->308 304->303 306 5481964-5481967 call 548013c 304->306 306->303 309 5481994 307->309 310 5481986-548198a 307->310 308->307 312 5481978-548197b call 548013c 308->312 316 5481995 309->316 310->309 313 548198c-548198f call 548013c 310->313 312->307 313->309 316->316
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 054818C8
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 727c8d4b60c033ef0b5e5c423b00b5232f6f8852b4de9c5dd8aa4bfba2abbcac
    • Instruction ID: a64862135e7686f2be3ea45cddef877d9e3d1ac725f029e03be26c88d672b353
    • Opcode Fuzzy Hash: 727c8d4b60c033ef0b5e5c423b00b5232f6f8852b4de9c5dd8aa4bfba2abbcac
    • Instruction Fuzzy Hash: BAC14971D106599FDB10EFA8C9857FEBBB2FB48310F14826AE855E7380D7749886CB81
    Function 00E5D3A3 Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON
    Download Yara Rule
    APIs
    • NtQuerySystemInformation.NTDLL ref: 00E5D3A3
    Memory Dump Source
    • Source File: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: InformationQuerySystem
    • String ID:
    • API String ID: 3562636166-0
    • Opcode ID: 0f11c7b5190609fc32bc7b183c0124532e9799bd8c481b09a554c8fccbd2a880
    • Instruction ID: 933c7ca1d79dfbe1d6edfe4da24c0a6c40abd77683e68f68523f3fcacf25bc96
    • Opcode Fuzzy Hash: 0f11c7b5190609fc32bc7b183c0124532e9799bd8c481b09a554c8fccbd2a880
    • Instruction Fuzzy Hash: A7D05E3051824E9BCB10DF30C89179E3726FF15321F005524AD82B79C582716C548A09
    Function 00CAB7CE Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 473a3753e2344336e656eb2bf5d24272235f6ca92c94e6542c818bc74a9ae27e
    • Instruction ID: 241719daf868f5763111bd8f835fe38173c459ec9075b908746909f866f902b0
    • Opcode Fuzzy Hash: 473a3753e2344336e656eb2bf5d24272235f6ca92c94e6542c818bc74a9ae27e
    • Instruction Fuzzy Hash: 03E0C2721089879ADB269F34880179E3F2DDB42708F904125FB119AE87CB2D0E11D756
    Function 00E275FB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 e275fb-e2761a 1 e27648-e2772c 0->1 2 e2761c-e27629 call e2762c 0->2 10 e27732-e27735 1->10 11 e27736-e2774a CreateFileA 1->11 2->1 10->11 12 e27a00-e27a38 call e27a13 call e27a41 11->12 13 e27750-e2777b 11->13 22 e27a3d-e27a3f 12->22 17 e27781 13->17 18 e27787-e277d3 call e277c4 13->18 17->18 24 e27a01-e27a34 22->24 25 e27a41-e27a97 22->25 24->22 30 e27a38 call e27a41 24->30 31 e27aa7-e27ad3 call e27ad6 25->31 32 e27a9d-e27aa6 25->32 30->22 32->31
    APIs
    • CreateFileA.KERNELBASE(?,B07F72CD,00000003,00000000,00000003), ref: 00E27744
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 0839664994844901074b9d0b8fb3df5ce0039a8d526e6c3711be692d1c2c2824
    • Instruction ID: e5b41ef485c72ed4330a4d3c1e49c48c7a5975ddd0837338da6cb9024107c268
    • Opcode Fuzzy Hash: 0839664994844901074b9d0b8fb3df5ce0039a8d526e6c3711be692d1c2c2824
    • Instruction Fuzzy Hash: CC519FF724C2A57DF301CA65BE55EFB7BADE6C2730B34942BF481E6442D2A10E099271
    Function 00E27585 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 e27585-e275a1 CreateFileA 39 e275a7 37->39 40 e275aa-e275ab 37->40 39->40 41 e27a00-e27a38 call e27a13 call e27a41 40->41 42 e275b1-e275b4 40->42 52 e27a3d-e27a3f 41->52 44 e275ba 42->44 45 e275bd-e275e2 42->45 44->45 48 e275e8-e275ed 45->48 49 e275ee-e27623 45->49 48->49 53 e27629-e2772c 49->53 54 e27624 call e2762c 49->54 55 e27a01-e27a34 52->55 56 e27a41-e27a97 52->56 73 e27732-e27735 53->73 74 e27736-e2774a CreateFileA 53->74 54->53 55->52 62 e27a38 call e27a41 55->62 64 e27aa7-e27ad3 call e27ad6 56->64 65 e27a9d-e27aa6 56->65 62->52 65->64 73->74 74->41 75 e27750-e2777b 74->75 77 e27781 75->77 78 e27787-e277d3 call e277c4 75->78 77->78
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 17c8564f2d5798f578c425524c8158d5931dcf7ee6b00d0fa2b2f3b8cb6187a0
    • Instruction ID: 28c34812c05f275153d5ea3db80cceb3094ed403352911bac345b3ad983c3acb
    • Opcode Fuzzy Hash: 17c8564f2d5798f578c425524c8158d5931dcf7ee6b00d0fa2b2f3b8cb6187a0
    • Instruction Fuzzy Hash: 3B31C4F714C2657DF6018A647F51BFFA7AEE6C2730B30982AF481E6442E2961E0D6235
    Function 00E682AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 91 e682ab-e682f5 94 e68301-e68313 91->94 95 e682fb 91->95 96 e6832f-e68344 CreateThread call e68347 94->96 97 e68319-e68320 call e6832c 94->97 95->94 101 e68386 96->101 97->101 102 e68322-e6832b 97->102
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID: w?
    • API String ID: 0-2458380688
    • Opcode ID: 69ae8d3eab3899e86afdb3047d3b2fcb5a9ef5c3f6a39e2c41b86f15158cf334
    • Instruction ID: ab047cb32f842607ec891e1238a6d0b3c05d4a27dbba66516a7181f1062a6ec2
    • Opcode Fuzzy Hash: 69ae8d3eab3899e86afdb3047d3b2fcb5a9ef5c3f6a39e2c41b86f15158cf334
    • Instruction Fuzzy Hash: 4D01D2B32C411A2DF6168E556F29BFF3B2CCBC2F74F209116F802EA483C6910D095135
    Function 00E83235 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 105 e83235-e83285 SetEnvironmentVariableA
    APIs
    • SetEnvironmentVariableA.KERNELBASE(?,?,?,00000000), ref: 00E83282
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: S
    • API String ID: 1431749950-543223747
    • Opcode ID: f42c2fc60d695e53b85ad179423814cf72a4e272a49cd739cf18def981735150
    • Instruction ID: 009c703207f4af3be3d3b96e965cb0dcf5efaae6b9238806a45c6edbfb2100bb
    • Opcode Fuzzy Hash: f42c2fc60d695e53b85ad179423814cf72a4e272a49cd739cf18def981735150
    • Instruction Fuzzy Hash: A1F0A07690450E5FEB15DEA08C04CDB7BADFF492507000061E503CA913E2B289F08B95
    Function 00CAE81B Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 136 cae81b-caf49f VirtualAlloc 143 caf4ab-caf73e 136->143
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00CAF499
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: Y%Td
    • API String ID: 4275171209-1036985902
    • Opcode ID: a606f7f4dd4be585fc03253aaf655f7b091a0db4604eab24976e7ec160333b46
    • Instruction ID: b80fe0ff9ff3544239fab6ae1a575cbdc4f3c68bc8497e71f051126fbcd5f57d
    • Opcode Fuzzy Hash: a606f7f4dd4be585fc03253aaf655f7b091a0db4604eab24976e7ec160333b46
    • Instruction Fuzzy Hash: 4A1191B260C705DFD7086F79D44527D77E4EF45324F254A3EA691C7280D6318C41979A
    Function 054815C4 Relevance: 1.8, APIs: 1, Instructions: 303COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 146 54815c4-548165a 149 548165c-5481666 146->149 150 5481693-54816b5 146->150 149->150 151 5481668-548166a 149->151 155 54816f1-5481712 150->155 156 54816b7-54816c4 150->156 153 548166c-5481676 151->153 154 548168d-5481690 151->154 157 5481678 153->157 158 548167a-5481689 153->158 154->150 166 548174b-548176d 155->166 167 5481714-548171e 155->167 156->155 160 54816c6-54816c8 156->160 157->158 158->158 159 548168b 158->159 159->154 161 54816ca-54816d4 160->161 162 54816eb-54816ee 160->162 164 54816d8-54816e7 161->164 165 54816d6 161->165 162->155 164->164 169 54816e9 164->169 165->164 175 54817a9-54817ca 166->175 176 548176f-548177c 166->176 167->166 168 5481720-5481722 167->168 170 5481724-548172e 168->170 171 5481745-5481748 168->171 169->162 173 5481730 170->173 174 5481732-5481741 170->174 171->166 173->174 174->174 177 5481743 174->177 182 54817cc-54817d6 175->182 183 5481803-5481825 175->183 176->175 178 548177e-5481780 176->178 177->171 180 5481782-548178c 178->180 181 54817a3-54817a6 178->181 184 548178e 180->184 185 5481790-548179f 180->185 181->175 182->183 186 54817d8-54817da 182->186 193 5481861-5481867 183->193 194 5481827-5481834 183->194 184->185 185->185 187 54817a1 185->187 188 54817dc-54817e6 186->188 189 54817fd-5481800 186->189 187->181 191 54817e8 188->191 192 54817ea-54817f9 188->192 189->183 191->192 192->192 195 54817fb 192->195 197 5481871-54818d8 ChangeServiceConfigA 193->197 194->193 196 5481836-5481838 194->196 195->189 198 548183a-5481844 196->198 199 548185b-548185e 196->199 202 54818da-54818e0 197->202 203 54818e1-5481920 197->203 200 5481848-5481857 198->200 201 5481846 198->201 199->193 200->200 204 5481859 200->204 201->200 202->203 207 5481930-5481934 203->207 208 5481922-5481926 203->208 204->199 209 5481944-5481948 207->209 210 5481936-548193a 207->210 208->207 211 5481928-548192b call 548013c 208->211 213 5481958-548195c 209->213 214 548194a-548194e 209->214 210->209 212 548193c-548193f call 548013c 210->212 211->207 212->209 218 548196c-5481970 213->218 219 548195e-5481962 213->219 214->213 217 5481950-5481953 call 548013c 214->217 217->213 222 5481980-5481984 218->222 223 5481972-5481976 218->223 219->218 221 5481964-5481967 call 548013c 219->221 221->218 224 5481994 222->224 225 5481986-548198a 222->225 223->222 227 5481978-548197b call 548013c 223->227 231 5481995 224->231 225->224 228 548198c-548198f call 548013c 225->228 227->222 228->224 231->231
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 054818C8
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 05ae5f19af39e554edada5343c8f54167187ca9b4e0eda77198bba30ff59fb00
    • Instruction ID: d77f9e99e6f3683705b06e6c79f571337f3260648655784914e2295e6f003943
    • Opcode Fuzzy Hash: 05ae5f19af39e554edada5343c8f54167187ca9b4e0eda77198bba30ff59fb00
    • Instruction Fuzzy Hash: 57C16971D106599FDB10EFA8C9857FEBBB2FB48310F14826AE855E7380D7749886CB81
    Function 00E27662 Relevance: 1.6, APIs: 1, Instructions: 146fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 317 e27662-e27664 318 e2763e-e2765b 317->318 319 e2766f-e2772c 317->319 318->319 325 e27732-e27735 319->325 326 e27736-e2774a CreateFileA 319->326 325->326 327 e27a00-e27a38 call e27a13 call e27a41 326->327 328 e27750-e2777b 326->328 337 e27a3d-e27a3f 327->337 332 e27781 328->332 333 e27787-e277d3 call e277c4 328->333 332->333 339 e27a01-e27a34 337->339 340 e27a41-e27a97 337->340 339->337 345 e27a38 call e27a41 339->345 346 e27aa7-e27ad3 call e27ad6 340->346 347 e27a9d-e27aa6 340->347 345->337 347->346
    APIs
    • CreateFileA.KERNELBASE(?,B07F72CD,00000003,00000000,00000003), ref: 00E27744
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5ce7de506289044bfd4ce715db867dbeae5f671397e0b277f1ba854ddd42193a
    • Instruction ID: 79398e5f2342a336e965314eec278bb9aee1bb229240949e5545ac5737916398
    • Opcode Fuzzy Hash: 5ce7de506289044bfd4ce715db867dbeae5f671397e0b277f1ba854ddd42193a
    • Instruction Fuzzy Hash: 3831A3BB24C1A56EF301CA65BE14EFB7BACEBD2731B31843BF581D6442D2940D49A271
    Function 00E2763C Relevance: 1.6, APIs: 1, Instructions: 145fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 352 e2763c-e2772c 359 e27732-e27735 352->359 360 e27736-e2774a CreateFileA 352->360 359->360 361 e27a00-e27a38 call e27a13 call e27a41 360->361 362 e27750-e2777b 360->362 371 e27a3d-e27a3f 361->371 366 e27781 362->366 367 e27787-e277d3 call e277c4 362->367 366->367 373 e27a01-e27a34 371->373 374 e27a41-e27a97 371->374 373->371 379 e27a38 call e27a41 373->379 380 e27aa7-e27ad3 call e27ad6 374->380 381 e27a9d-e27aa6 374->381 379->371 381->380
    APIs
    • CreateFileA.KERNELBASE(?,B07F72CD,00000003,00000000,00000003), ref: 00E27744
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a4decdd0545b27f9c2a12676a16c73d5bf13acd16b9ceea41d2b4dd14045df29
    • Instruction ID: 82bb7f8911b5d442f115ec28055ccd162e5627e97052ec5dfbef96d387b45239
    • Opcode Fuzzy Hash: a4decdd0545b27f9c2a12676a16c73d5bf13acd16b9ceea41d2b4dd14045df29
    • Instruction Fuzzy Hash: 7431A5B724C1A56EF301CA55BE54EFB7BBCEBD2731B31842BF481D6442D2A40D49A271
    Function 00E27667 Relevance: 1.6, APIs: 1, Instructions: 139fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 386 e27667-e2766e 387 e27670-e276c4 386->387 388 e276ce-e276d8 386->388 389 e276dc-e2772c 387->389 388->389 392 e27732-e27735 389->392 393 e27736-e2774a CreateFileA 389->393 392->393 395 e27a00-e27a38 call e27a13 call e27a41 393->395 396 e27750-e2777b 393->396 405 e27a3d-e27a3f 395->405 400 e27781 396->400 401 e27787-e277d3 call e277c4 396->401 400->401 407 e27a01-e27a34 405->407 408 e27a41-e27a97 405->408 407->405 413 e27a38 call e27a41 407->413 414 e27aa7-e27ad3 call e27ad6 408->414 415 e27a9d-e27aa6 408->415 413->405 415->414
    APIs
    • CreateFileA.KERNELBASE(?,B07F72CD,00000003,00000000,00000003), ref: 00E27744
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: bac54de83aaeea377d1998d67db47c631896d34a3db720ebaa4e7cfbc9593226
    • Instruction ID: de27663327ae03c47e9c9977f3afa1f0ace7191f806da3d7f0baacf7c9fad86e
    • Opcode Fuzzy Hash: bac54de83aaeea377d1998d67db47c631896d34a3db720ebaa4e7cfbc9593226
    • Instruction Fuzzy Hash: 8431D2B724D1656DF311CA55BE14EFB7BBCE7C2731B31802BF481D6442D2A00E4A9270
    Function 00E2767A Relevance: 1.6, APIs: 1, Instructions: 128fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 420 e2767a-e2772c 424 e27732-e27735 420->424 425 e27736-e2774a CreateFileA 420->425 424->425 426 e27a00-e27a38 call e27a13 call e27a41 425->426 427 e27750-e2777b 425->427 436 e27a3d-e27a3f 426->436 431 e27781 427->431 432 e27787-e277d3 call e277c4 427->432 431->432 438 e27a01-e27a34 436->438 439 e27a41-e27a97 436->439 438->436 444 e27a38 call e27a41 438->444 445 e27aa7-e27ad3 call e27ad6 439->445 446 e27a9d-e27aa6 439->446 444->436 446->445
    APIs
    • CreateFileA.KERNELBASE(?,B07F72CD,00000003,00000000,00000003), ref: 00E27744
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d5ad428cb8707abf49e6f04bd2d8571842345f36019b1014df3bc8df84d4466b
    • Instruction ID: 1611ee78d210b485dbb25518728be177440e0ab2323e6076cc131b23c5398e38
    • Opcode Fuzzy Hash: d5ad428cb8707abf49e6f04bd2d8571842345f36019b1014df3bc8df84d4466b
    • Instruction Fuzzy Hash: FE21B1BB24C1657DF301CA56BE15AFF7BADE7C2731B30842BF481D6842D2A00E0A9171
    Function 00E83841 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 451 e83841-e8384f 452 e83872-e8387c call e836d6 451->452 453 e83855-e83867 451->453 458 e83882 452->458 459 e83887-e83890 452->459 453->452 457 e8386d 453->457 460 e839d1-e839d3 457->460 458->460 461 e838a8-e838af 459->461 462 e83896-e8389d 459->462 464 e838ba-e838ca 461->464 465 e838b5 461->465 462->461 463 e838a3 462->463 463->460 464->460 466 e838d0-e838dc call e837ab 464->466 465->460 469 e838df-e838e3 466->469 469->460 470 e838e9-e838f3 469->470 471 e838f9-e8390c 470->471 472 e8391a-e8391d 470->472 471->472 477 e83912-e83914 471->477 473 e83920-e83923 472->473 475 e839c9-e839cc 473->475 476 e83929-e83930 473->476 475->469 478 e8395e-e83977 476->478 479 e83936-e8393c 476->479 477->472 477->475 485 e8397d-e8398b 478->485 486 e83990-e83998 VirtualProtect 478->486 480 e83959 479->480 481 e83942-e83947 479->481 482 e839c1-e839c4 480->482 481->480 484 e8394d-e83953 481->484 482->473 484->478 484->480 487 e8399e-e839a1 485->487 486->487 487->482 489 e839a7-e839c0 487->489 489->482
    Memory Dump Source
    • Source File: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8fb5e53766918fac5eddefbde7e7ea0c8c47dc9ba60ec1a091a8d3ea36cc9afc
    • Instruction ID: 8f951eefc3eda78118f2f2d20d619e007a0b6ce4ceaeaf7100609f6736866718
    • Opcode Fuzzy Hash: 8fb5e53766918fac5eddefbde7e7ea0c8c47dc9ba60ec1a091a8d3ea36cc9afc
    • Instruction Fuzzy Hash: 8E41BE7190020AEFEB26EF34C845BAD7BB1FF44B18F146455E80EBA191D3B1AE90CB50
    Function 00E24000 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 491 e24000-e24003 LoadLibraryA 492 e24009 491->492 493 e2400f-e2412d 491->493 492->493
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 56a0af282cf48d9be96f5e343fef50431e6cbf61381ddbbb02fb7c03749793c2
    • Instruction ID: adc9a823c293d204b2a3a1b6670331b19e18836381274b3c0b372ceaa7c0f98c
    • Opcode Fuzzy Hash: 56a0af282cf48d9be96f5e343fef50431e6cbf61381ddbbb02fb7c03749793c2
    • Instruction Fuzzy Hash: 9E3128F550C300AFE705AE08EC81B7EB7E9EB98711F15892DE7D483350E63558508A67
    Function 00E8358E Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00E8363B
    Memory Dump Source
    • Source File: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: f0d36f1aa1b4fde2597fd6be582f94a429ff52d17415068ba52505683ab252d9
    • Instruction ID: 9e263867032b409debf082685ff923942277860a975d6bad773356d5d37fa808
    • Opcode Fuzzy Hash: f0d36f1aa1b4fde2597fd6be582f94a429ff52d17415068ba52505683ab252d9
    • Instruction Fuzzy Hash: 421157F1901225ABEB30A62CCC48FEB776CEB54F55F205155F80DB6141F7709E809BA1
    Function 05480D42 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05480DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 69787e7a4959fbcb220dccc9dc6cb2b027c22e9d1a4bb15c4149edd513368058
    • Instruction ID: ff4ca0122d92e17073eb21522b9c78cd3e20c0c1b2e6804b1bf2c38cd2fee490
    • Opcode Fuzzy Hash: 69787e7a4959fbcb220dccc9dc6cb2b027c22e9d1a4bb15c4149edd513368058
    • Instruction Fuzzy Hash: D12137B6C102099FDB50DF99D888BDEFBF4FB88720F14815AD809AB304D774A544CBA4
    Function 05480D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05480DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 8ac745957a3f66717b68c7f88cb1970a7a1e5ced748f907a72ec79e3a6fb1118
    • Instruction ID: 7461cd6ba3e92e6071ea55ca6976f91238c3c7c7f557ffd9a2832456ddc85d9a
    • Opcode Fuzzy Hash: 8ac745957a3f66717b68c7f88cb1970a7a1e5ced748f907a72ec79e3a6fb1118
    • Instruction Fuzzy Hash: 332133B6C002099FCB10DF99D884BDEFBF4FB88720F14825AD809AB304C774A544CBA4
    Function 05481509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05481580
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 328bd168db963915950d1c76215ed65b39a51bfafff27def95f3dd1a41ad9972
    • Instruction ID: a10d5dc63a4f748b4a9cdc053fdfe9e4fc15d3188fc0a245fff186e8df8576a5
    • Opcode Fuzzy Hash: 328bd168db963915950d1c76215ed65b39a51bfafff27def95f3dd1a41ad9972
    • Instruction Fuzzy Hash: 7B2103B1D006499FDB10CF9AC484BDEFBF4AB48320F14842AE559A7250D378A645CFA5
    Function 05481510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05481580
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 6a0f0d697705fdbba2416bf4df2aab69dbcf37a75bbb88c4fdfb724c900b0c77
    • Instruction ID: 83b91b51e9a2175b2914a8b3d8da6ad61455521dfadb1cf2a4d9f1b8597a83dd
    • Opcode Fuzzy Hash: 6a0f0d697705fdbba2416bf4df2aab69dbcf37a75bbb88c4fdfb724c900b0c77
    • Instruction Fuzzy Hash: 741114B1D007498FDB10CF9AC484BDEFBF4EB48320F10842AE559A3250D378A644CFA5
    Function 00E27594 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 761b982914e7bfcdc5e586286c30f66733167939ea59cd297b4095111fd6dd01
    • Instruction ID: 1d9bf5eec6ea9df54d968d7e77ff99025a5537d15031394738d9854f6c3323aa
    • Opcode Fuzzy Hash: 761b982914e7bfcdc5e586286c30f66733167939ea59cd297b4095111fd6dd01
    • Instruction Fuzzy Hash: 41F0F0E248C2717DE7068A606F11BFB775DD382370B306526F8C2FA446E2860E082234
    Function 00E2792D Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5b63e02cd796849f53651ce91fb417b046fbc62f9e11c673cc5da0fe552581f7
    • Instruction ID: a06296f7d377fcf846c3db03521c241912dd1bd2e964fc6c2b970e943bc691a4
    • Opcode Fuzzy Hash: 5b63e02cd796849f53651ce91fb417b046fbc62f9e11c673cc5da0fe552581f7
    • Instruction Fuzzy Hash: A2F08CF710C3653CB10185513F90EFA976CE2C2B34B31D52BF801E1042C2850E8E2032
    Function 05481301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05481367
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 724406a8387bf2660161643173316e8468458bb13b2d24d528194d7e7a75c52e
    • Instruction ID: 5e9b3f6bebfe89c1b420d7f5c68a1fc7a8f7a78e6d02eb0b0995bb3f19084b8f
    • Opcode Fuzzy Hash: 724406a8387bf2660161643173316e8468458bb13b2d24d528194d7e7a75c52e
    • Instruction Fuzzy Hash: 931125B1800749CFEB10CF9AD445BEEBBF4EB48324F24846AD558A3650D778A544CFA5
    Function 05481308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05481367
    Memory Dump Source
    • Source File: 00000000.00000002.2251612431.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 74bf99442e7a8f6f5e2f7ddd1fa86629ccd6784be0cc0a02dc04ae0e43d8f610
    • Instruction ID: c16c544294a2ee44d783f5e7057afb62cbcd7cb6eb7f50af12f298d739316a06
    • Opcode Fuzzy Hash: 74bf99442e7a8f6f5e2f7ddd1fa86629ccd6784be0cc0a02dc04ae0e43d8f610
    • Instruction Fuzzy Hash: 7C1133B1800749CFEB10CF9AC444BEEFBF8EB48324F24846AD518A3250C778A944CFA5
    Function 00E6C303 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNELBASE(00000000), ref: 00E6C35C
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 69a57eded3f1cb5a946129c872a73d23c9589d42a5a011defa314705bb3bf543
    • Instruction ID: ad242497f469086e5cc71f628fb862625a75f65627c26c01f44ffe3fd722b6f9
    • Opcode Fuzzy Hash: 69a57eded3f1cb5a946129c872a73d23c9589d42a5a011defa314705bb3bf543
    • Instruction Fuzzy Hash: E3F024A25CA3903EE7115AA47A29FBA6F9DC753BB0F34E8ADF4C5EB582C15108058331
    Function 00E6733C Relevance: 1.5, APIs: 1, Instructions: 36COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 3ec6c0b255f43a5af16c454c5a01d3a28bc81c731d92aa10dcdf33aeb1e05575
    • Instruction ID: a76bcc8341e12738b83ca2e52419c0f83d747bc6f70dc2a01652d6b0647e7829
    • Opcode Fuzzy Hash: 3ec6c0b255f43a5af16c454c5a01d3a28bc81c731d92aa10dcdf33aeb1e05575
    • Instruction Fuzzy Hash: 9FF084724CD3A1EAD323ABB06C263EE3F908F023D4F206004E9C0655938A002905AA6A
    Function 00E27957 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: de69952a9cc3ef558f2dc863a96d096daf63858989181cdc19286de037517ec3
    • Instruction ID: 59d6348fe20250206d1f2a8775581111784bed7798d0b29245122ecd8bf56cee
    • Opcode Fuzzy Hash: de69952a9cc3ef558f2dc863a96d096daf63858989181cdc19286de037517ec3
    • Instruction Fuzzy Hash: 39E086F754C2A63DF10296552E61AFEAB5CD7C2234B308426F841D5043C2854D5D5531
    Function 00E6B545 Relevance: 1.5, APIs: 1, Instructions: 27threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: c41206577cbcfbd850d9cb0916e198ff265d7bf933f05d5ba54cf28daa57db15
    • Instruction ID: 20dbd97598fc42fc9dc9e4a12513fa639d624c5db8af1f31b9ae688e713fa90b
    • Opcode Fuzzy Hash: c41206577cbcfbd850d9cb0916e198ff265d7bf933f05d5ba54cf28daa57db15
    • Instruction Fuzzy Hash: 24F0E5314C82E95ACF21AF3494553DE3F6A9F07395F292000ED43A71A3C7621C898611
    Function 00E313F3 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a37d9065a31c0544f82c5703cde8903f61965f61bf7f495a7d6f583a8522ef45
    • Instruction ID: 7aacdf08ab30faa3e2979d9826786bec1ae3302553d772370488238e3a51532b
    • Opcode Fuzzy Hash: a37d9065a31c0544f82c5703cde8903f61965f61bf7f495a7d6f583a8522ef45
    • Instruction Fuzzy Hash: 4EE01AF142E215EFD30D2F14894947ABAE8AB08702F52592DF4D6E3740EB705880DF56
    Function 00E2796F Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 76ce6cd03a23039cebd36eb4df821aa3176091767486fe080102660b2d2a9c27
    • Instruction ID: 37075f3a857845cbf4ce6a0581d8437a9d6243a6c2290731ff4da30c94b78e97
    • Opcode Fuzzy Hash: 76ce6cd03a23039cebd36eb4df821aa3176091767486fe080102660b2d2a9c27
    • Instruction Fuzzy Hash: 6FD0A7B714D2AA2CF3019B522EA0BFEB758EBC2630F308426E800D6083C6950D591531
    Function 00E6C34A Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNELBASE(00000000), ref: 00E6C35C
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: b590c6dfaa014c965644fbf0fdca6d4a678dd28db25dbb09b14b50ee7b0b1293
    • Instruction ID: 91838ebf7de06923508f712659169874cf6daa5861ce08509e3196bf7940ce09
    • Opcode Fuzzy Hash: b590c6dfaa014c965644fbf0fdca6d4a678dd28db25dbb09b14b50ee7b0b1293
    • Instruction Fuzzy Hash: 1CC08C22AC13063BD5202AA04E2BB8E260A5B24F01F19C480B2456F1C2C5A300018394
    Function 00E6734E Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: c8e3f260d27e5e6aa6530288f23278bd130e2fdaa71e240bb5db3fd745aae80b
    • Instruction ID: 6b54f9cb60c7a160fcfcbc8ac1fd103db45a55a4ba839caf7cb600543af5735c
    • Opcode Fuzzy Hash: c8e3f260d27e5e6aa6530288f23278bd130e2fdaa71e240bb5db3fd745aae80b
    • Instruction Fuzzy Hash: 83C02BB30CE2702AD50826B0348C34D2E051B027B8F0474406DC539383454064017219
    Function 00E6832C Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNELBASE(00000000,00000000,?,00000000), ref: 00E6832F
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 8339fdd7b40b011f4c9d10908a0df55908bc2cfa8e7a1b143b01cf64d18797e3
    • Instruction ID: 4156deb9aea504b0fc7b220c8f1d129fbe3ec0fcf9b08ee51b10dcc24b42ef88
    • Opcode Fuzzy Hash: 8339fdd7b40b011f4c9d10908a0df55908bc2cfa8e7a1b143b01cf64d18797e3
    • Instruction Fuzzy Hash: B8C02B3268010F6AC7202F35EC0974F3F38CF82B23F049510FB0BA04834E1268144334
    Function 00E6938F Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: abfbe012ffa9d87b2ebec56bf7a986331b5ea6bd35b3938c55f900f84213767c
    • Instruction ID: 4741b81c0868fb6ada3b9fa7a727afda3d506eb8fa88b87f5d8a83362ee83b0f
    • Opcode Fuzzy Hash: abfbe012ffa9d87b2ebec56bf7a986331b5ea6bd35b3938c55f900f84213767c
    • Instruction Fuzzy Hash: 16B02B332840101CD1115A5C9800B5D374C4F81210F000424E308820C2C70110074336
    Function 00E5DD43 Relevance: 1.3, APIs: 1, Instructions: 64COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 307e9764ad3c525d1157bbaf82e6bf7b57cff7c329b675721f428035012aecd8
    • Instruction ID: f6ddf4b50844f9686e86fb9db949499926f6089ecc665a249719a48305cc5914
    • Opcode Fuzzy Hash: 307e9764ad3c525d1157bbaf82e6bf7b57cff7c329b675721f428035012aecd8
    • Instruction Fuzzy Hash: 5601D6FB10C0597EBA20C9416E509FB777CE6C57367305A26FC02E250AE3455D1A5275
    Function 00E5DCFA Relevance: 1.3, APIs: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: aadc159817e7525a7df31bbbbc6c3d138f367a0790834b41c395123174985207
    • Instruction ID: ad0d778983c69ff1f319c49d8ed778a3f68baa540fcb1e36a36cbdf9dacd1c91
    • Opcode Fuzzy Hash: aadc159817e7525a7df31bbbbc6c3d138f367a0790834b41c395123174985207
    • Instruction Fuzzy Hash: ECE06DFB2080197DB610CA01AE14DFB733DE5C6731330892AFC06D190AC3550D4A6635
    Function 00E831B8 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00E831B4,?,?,00E82EBA,?,?,00E82EBA,?,?,00E82EBA), ref: 00E831D8
    Memory Dump Source
    • Source File: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 88c286b519819ecb3936bad5ed8cea2ae5c31ba2f9811c64e6d3e198100660b0
    • Instruction ID: e69b2b06940edeadcb91295a1e56fd3922b8daabc216969f894ff112427d2af8
    • Opcode Fuzzy Hash: 88c286b519819ecb3936bad5ed8cea2ae5c31ba2f9811c64e6d3e198100660b0
    • Instruction Fuzzy Hash: 41F0F4B1A00205EFEB249F14CE04B98BBA1FF49B61F108065F44EAF1A2E37098D0CB54
    Function 00E5D0A9 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3a4e71181438284c3adc902f96fb63667f366f8d73e888f9ee90e6119e0def3d
    • Instruction ID: f0e65230af36a77698cffe3e0224e8b95d8b7fe6f318574f1c25822b21ec4b9c
    • Opcode Fuzzy Hash: 3a4e71181438284c3adc902f96fb63667f366f8d73e888f9ee90e6119e0def3d
    • Instruction Fuzzy Hash: 4CE0263254E3553AE53076206E3176E3F598B51721F21988AF98DAA0D38584240A4326
    Function 00CAE736 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00CAF67F
    Memory Dump Source
    • Source File: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: ca77416c94349be76fa5868213dab166db08f219db247ef790a2615d3e774fcf
    • Instruction ID: af4bb03a6face0a9cae8ad72450095f76dcc58f6fce48ee40ab663f8d759d163
    • Opcode Fuzzy Hash: ca77416c94349be76fa5868213dab166db08f219db247ef790a2615d3e774fcf
    • Instruction Fuzzy Hash: 38E0B6B150C205DFE7246F01D945AFD7AE4EB19329F15042DEA8945A40D2310C51DA97
    Function 00E5D0E1 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a8831bbcce573210d5dfe1911ca8262ce2970402aa4fd766365d8c2bd5d31328
    • Instruction ID: 89f0f88aabbdc57fb44621734c9e12e0612e26035fad99363123cf2eb8df3d27
    • Opcode Fuzzy Hash: a8831bbcce573210d5dfe1911ca8262ce2970402aa4fd766365d8c2bd5d31328
    • Instruction Fuzzy Hash: D2C08C3184D35667CA522F184B643DE7720BF02B14F008848EB80610A2D35504288385

    Non-executed Functions

    Function 00F32BAD Relevance: 1.6, Strings: 1, Instructions: 370COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID: O+ow
    • API String ID: 0-4197428609
    • Opcode ID: e0443a2add4b56bda32ff0bef4ed103e6d006634fe9224443e939b3ead469c82
    • Instruction ID: 1531e0f8290819789d36ad2f85f6f7e7f92697ff71b725d91935e580bca69a59
    • Opcode Fuzzy Hash: e0443a2add4b56bda32ff0bef4ed103e6d006634fe9224443e939b3ead469c82
    • Instruction Fuzzy Hash: FEB126F3A082109FE3109E1DDCC576BB7E9EF98720F1A853DEA84D3744E6399C458692
    Function 00E20009 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID: Y2~
    • API String ID: 0-3882514423
    • Opcode ID: 39c8fb631236437dc1ea686d4abc4975823b952bb00130415b2b30a40ba961ec
    • Instruction ID: a877b03a3164046a20b623236dc7b6d217fb0185ed60b7d1739e4fd3c2a6d423
    • Opcode Fuzzy Hash: 39c8fb631236437dc1ea686d4abc4975823b952bb00130415b2b30a40ba961ec
    • Instruction Fuzzy Hash: 1571F6F390C2049FE3187E28EC8576ABBE5EB94720F1A463DE6C583784FA3558158686
    Function 00EDD394 Relevance: .2, Instructions: 174COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d7b3241d41e3af0ac27c1c74ebb0c0dbf55088c49a25fcff3e11ecabb535bae2
    • Instruction ID: 9724eb3f59a318d64f5a807b17cca4fed3d237558d50a28c9add3cb81f8892bd
    • Opcode Fuzzy Hash: d7b3241d41e3af0ac27c1c74ebb0c0dbf55088c49a25fcff3e11ecabb535bae2
    • Instruction Fuzzy Hash: A45159F250C708DBD310BE2DEC40ABAF7E5EB90710F26992FD6C693704E6316942A657
    Function 00E2429C Relevance: .1, Instructions: 137COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8d00547e457ab819651c7648affaf43d5228aab0adcd88be0f212c6f7852896a
    • Instruction ID: d624f62b3c67ce843c3e6dc5a94afed3b43c8c9fa9094dba967abe4137b189d1
    • Opcode Fuzzy Hash: 8d00547e457ab819651c7648affaf43d5228aab0adcd88be0f212c6f7852896a
    • Instruction Fuzzy Hash: 514162B350C210AFE345AE19DC81ABAF7E9FFD8720F26492EF6C5C3650D63448409A57
    Function 00E242CF Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3c692df544e389058ca78aad6c1163ffbbe0b9b3847e2ad6823bbda4d0d60d22
    • Instruction ID: 7cda81f68d7bee470511819ef89e0ab92aace7924fe19e839f3a51366a26c53b
    • Opcode Fuzzy Hash: 3c692df544e389058ca78aad6c1163ffbbe0b9b3847e2ad6823bbda4d0d60d22
    • Instruction Fuzzy Hash: D3415CB350C200AFE745AF19DC85AAAF7E5FFD8710F16492EE6C4C3250D63488418A97
    Function 00E6C888 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2249785197.0000000000E67000.00000080.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true
    • Associated: 00000000.00000002.2249484369.0000000000CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249497990.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249514520.0000000000CA6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249528029.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249543055.0000000000CB6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249631006.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249645882.0000000000E0E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249666016.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249697061.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249712694.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249726777.0000000000E33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249739255.0000000000E36000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249759676.0000000000E5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249771831.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249798980.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249813613.0000000000E7B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249826443.0000000000E7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249838318.0000000000E7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249850659.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249867388.0000000000E92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249880388.0000000000E93000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249893309.0000000000E9C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249905153.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249917717.0000000000E9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249930917.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249944922.0000000000EA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249958160.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249970382.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249983181.0000000000EAE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2249996550.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250010298.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250025499.0000000000EC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250039017.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250050948.0000000000ECE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250064195.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250078899.0000000000ED7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250091938.0000000000EDA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250109936.0000000000EEA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250124369.0000000000EEB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F39000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250154344.0000000000F41000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250188094.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2250202492.0000000000F52000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ca0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0c8d5c0c894fb503cd25d029c810b36d49be4b71d55f8139fb8ba5d26a70be25
    • Instruction ID: e163bc3a36af58878f2fda8690e15e62d4c64368c8861deef67c953e7b3d7d88
    • Opcode Fuzzy Hash: 0c8d5c0c894fb503cd25d029c810b36d49be4b71d55f8139fb8ba5d26a70be25
    • Instruction Fuzzy Hash: 502106312893C25AC325EA7C9859A7AFF759B46318F29D19ED0C4EB193C2638886C341